Latest Version CWShredder Bug or ??

[subratam]

I have got the latest CWShredder and for safety ran once to see whether it catches anything, I might not have noticed.
Ok it removed CWS: About.blank.
good... my system got clear.
Now after seeing this thread at Spywareinfo
http://www.spywareinfoforum.com/forums/index.php?showtopic=33697&st=0&#entry175256
I ran again... to see the same About.blank CWS again in my machine.
Now... whats the comments or real happening?
the CWShredder 1.5.21 had hosts file bug.. this one about.blank or.. any evil for sure??

[Pieter_Arntz]

Hi subratam,

Can you run the Scan only and post the report?

Regards,

Pieter

[subratam]

here it is

CWShredder v1.53.0 scan only report

Windows XP (5.01.2600 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Administrator\Application Data
Username: Administrator

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (768 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (727 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -

And as I ran fix once more... it removed About.blank again

[Pieter_Arntz]

Do you have your StartPage set as about: blank ?

Regards,

Pieter

[subratam]

OK,
I have 3 browsers,
Opera 7.23 (with Java) -> continue from last time, even the start page is Opera Home site
FireFox-> start page is www.yahoo.com
IE -> start page is www.yahoo.com

[Pieter_Arntz]

Hi subratam,

I would think CWShredder only looks at IE.
Can you post your HijackThis log just to make sure you are not really infected.

Regards,

Pieter

[subratam]

Ok Sir,

My Hijack Log

Logfile of HijackThis v1.97.7
Scan saved at 5:21:21 PM, on 3/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Opera7\opera.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.108-big.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-big.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.5312962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B07283C3-D8C0-4D9B-A9CC-0B8BC91F6E05}: NameServer = 172.16.0.1

, Is all ok?

[Pieter_Arntz]

Yes, your log looks OK.

The items mentioned in the post by Galadriel here: http://www.spywareinfoforum.com/forums/index.php?showtopic=33392
are CWS About.blank.

No sign of any of that in your log. I've pointed Merijn this way.

Regards,

Pieter

[subratam]

Just see here
http://www.spywareinfoforum.com/forums/index.php?showtopic=33647
almost all have same problem(if you have already not given a look)
I think, as I said before, might be a bug. anyway your comment over there about your reporting to Merijn would be helpful for them too

good day

[Merijn]

My bad, fixed. v1.53.1 shouldn't do that anymore.

It was a small bug in the FileExists function on Win2000/XP.

[Pieter_Arntz]

Thanks for dropping by Merijn.
We know how busy you must be.

Regards,

Pieter

[bandonisp]

I should know this!! Could you post the link to get the latest version of cwshredder!! Thanks

[subratam]

Hey Merijn,

Nice to see you dropping by and ya we all know how busy you are .
take care