CWS Problem - Won't go away

Discussion in 'adware, spyware & hijack cleaning' started by richter, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. richter

    richter Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    51
    Hello,

    I need help removing something that's slowing my computer to the crawl in the first 30 seconds or so whenever I connect to the Internet. It takes ages to type anything into address bar of any browser (IE and Firebird). I've been running CW Shred utility a few times since yesterday and every time it reports my computer is clean but I'm still having problems. It did remove CW twice (what on Earth?) yesterday and I thought that'd take care of it but my computer still goes slow whenever I connect to Internet. I don't know how I got infected. I had Spyware, AdAware, SpyBot, IE-Spyad and Tiny PF installed before things went wrong two days ago (I usually used just a plain firewall, ZA, and never all this additional software, but I thought at least Tiny's Sandbox would keep me protected from further infections). I'm running Win XP with SP1 installed (I didn't have any additional patches though as downloads from Windows Update are too big for me to download them). This happened a month ago as well. I had to reinstall Windows to get rid of this pest. I installed Sun's Java as this seems to use hole in Microsoft JVM. I followed instructions to remove MS JVM but I get java.inf file could not be located (or something like that). Maybe because SP1 is slipstreamed onto CD? I've two roomies using this computer as well, and I never caught anything beside some adware before. Could I do anything further to protect this from happening? I did install, too late I guess, patch for MS JVM yesterday.

    Anyway, here's my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:27:22, on 8.1.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
    C:\Program Files\Common Files\PFShared\UmxCfg.exe
    C:\Program Files\Common Files\PFShared\UmxPol.exe
    C:\Program Files\Tiny Personal Firewall\UmxAgent.exe
    C:\Program Files\Tiny Personal Firewall\UmxTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\IrfanView\i_view32.exe
    C:\Program Files\foobar2000\foobar2000.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neowin.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFShared\weaddon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37993.1215625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4313/mcfscan.cab

    I ran complete scan with TrojanHunter, TDS-s, tried three different online virus checkers (Panda, Trend Micro and McAfee) and by every mean system is clean from all pests...but there's still something slowing things down. Is there something that could be done? Neither Adaware nor Spybot caught this thing while computer was infected (only CW Shred detected it). Spywareblaster didn't block it…is there ANYTHING that can actually block this thing for good? It's the only thing that got on my computer, and I've been using computer for ages now.

    TIA,

    richter
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi richter,

    Nothing wrong in your log. Any idea why you have so many instances of IrfanView running?

    Regards,

    Pieter
     
  3. richter

    richter Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    51
    Hello,

    Thanks for checking out my log. Yes, I had a few pictures opened at once with IrfanView when I was scanning it with HT. Any clue what might have been altered by CWS that slows down my computer? I'm trying to find more info on this but nothing. Spywareinfo.com seems to be down. I saw on CSW Cleaner Author's site that writers of CWS have been nagging him a lot lately. I read that problems who are infected with CWS also have problems accessing spywareinfoforum.com or downloading the cleaner tool for it. It seems a lot of people are infected with it (have seen a lot of mention of it there, that's why).

    regards,

    richter
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That you can't reach Spywareinfo has nothing to do with your infection. The entire server is down.

    Funny detail. CWS made a hosts file trying to block people from the SWI-forums with a spelling error in it. :D

    Did you check in TaskManager if there is any process using up a lot of CPU time?

    Normally the worst slowdowns by CWS are caused by the style sheets, but I saw none in your log.

    Regards,

    Pieter
     
  5. richter

    richter Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    51
    Hi,

    No, I was able to access spywareinfoforum.com all the time, except once an hour ago when it said their account was "deactivated".

    LOL! I wasn't aware of that fact (spelling error). At least they should do it properly if they were trying to keep people away from that site.

    I just checked Task Manager and nothing seems to out of the ordinary. I will look deeper into it to see if there's anything that could be causing this. It's just wierd, as computer is clean.

    I just ran on this article on neowin.net:
    http://www.neowin.net/comments.php?id=16456&category=main

    Coincidence? I have no idea weather this is true or not. Although, I don't think this could be my problem. I hope it is just certificate problem and not something with system. :) I'll see if any of my colleagues were doing something I am not aware of.

    Thanks for explaining me CWS issue. I appreciate it.

    Sorry to ask in this thread (admin can remove this if necessary), but I was wondering if you could tell me where I could obtain copy of IDBlaster? Link on Wilders doesn't work and I wasn't able to find any other mirror for it. Not that important. I just like testing software.

    Regards,

    richter
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hmm. I am not a firm believer in coincidence.

    Keep us posted on what you find out.

    About IDBlaster. The testing will have to wait, but hopefully not too long: http://www.wilderssecurity.com/showthread.php?t=19019

    Regards,

    Pieter
     
  7. richter

    richter Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    51
    It was just interesting thing to see. I didn't encounter slowdowns when launching applications, only when they access internet.

    I will post if anything new arises. Thank you for taking time to reply.

    Thanks for the link. Let's hope they will be able to deal with bandwith issue. I am surprised that Javacool is offering all the software for free. Very nice and useful utilities.

    Regards,

    richter
     
  8. richter

    richter Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    51
    Update:

    After NOTHING helped to fix my slow Internet connection, I managed to find a solution to my problem on techguy.org forums. Anyone who has problems with lag after connecting to internet after removing CWS, find and run software called WinsockXPFix. It resets Winsock settings to default, which were probably altered by CWS when I got infected, and fixes the problem. My computer works like a charm now.

    Hope this helps anyone.

    richter

    note: spelling fixed (bad English :D)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi richter,

    Thanks for letting us know. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.