CWS virus problem

Discussion in 'adware, spyware & hijack cleaning' started by walwinkle, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. walwinkle

    walwinkle Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    4
    Hi,

    Can anyone help me with the problem I'm having with CWS virus. I have run hijackthis, I've run CWShredder, I've installed numerous spy bot programs but it still re-appears on my machine without a restart, if I clean the machine 20minutes later it will be back on the machine. I've uninstalled Java Virtual machine. I've run CWShredder and there are a few items that appear that shouldn't be there, if I delete the domains key in the registry it stops the following appear, but after a while they reappear:
    -----------------------------------------------
    -----------------------------------------------
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    ----------------------------------------------
    ----------------------------------------------
    Here is the hijack this log:
    ----------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 13:49:18, on 6/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\gearsec.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINNT\System32\llssrv.exe
    D:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    D:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\ctfmon.exe
    D:\Program Files\SpywareGuard\sgmain.exe
    D:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\davem\My Documents\HijackThis.exe
    C:\F\Setup Files\CWShredder.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06c51d248dbdf661d805/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.3179398148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.labyrinth.ie
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.labyrinth.ie
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.labyrinth.ie

    -------------------------------------------
    -------------------------------------------
    any help would be appreciated,
    thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi walwinkle,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06c51d248dbdf661d805/netzip/RdxIE601.cab

    Then reboot and download http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report

    Regards,

    Pieter
     
  3. walwinkle

    walwinkle Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    4
    Hi Pieter,

    I've run the Hijack this, deleted the keys you mentioned, rebooted, ran the dllFix and here is the output from the log: (thanks for your help so far)

    ---------------------------------------
    ---------------------------------------

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Thu 10/06/2004
    9:06

    System Info:

    Microsoft Windows 2000 [Version 5.00.2195]
    C: "Local Disk" (9816:68C:cool: - FS:NTFS clusters:4k
    Total: 31 461 695 488 [29G] - Free: 17 951 838 208 [17G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.0.2140.1 C:\WINNT\system32\notepad.exe
    5.0.2140.1 C:\WINNT\notepad.exe
    *Media Player version :
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q831167;Q837009;



    Locked or 'Suspect' file(s) found...
    \\?\C:\WINNT\System32\WDMEDJO.DLL +++ File read error
    \\?\C:\WINNT\System32\WDMEDJO.DLL +++ File read error


    Scanning for main Hijacker:
    File found was C:\WINNT\System32\LEMH.DLL
    Md5 tested As 0758CF635DF08AC381962F74832B6484


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
    @="SpywareGuard Download Protection"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi walwinkle,

    Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
    C:\WINNT\System32\LEMH.DLL

    Run start.bat again and choose option '2'. You must reboot after doing so.

    Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    Also run CWShredder finally to clean up other entries.

    Regards,

    Pieter
     
  5. walwinkle

    walwinkle Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    4
    Hi Pieter,

    I've done all that, ran the programs etc, they ran on startup too, updated my version of lavasoft, ran it, it picked up a few instances of CWS (some dlls and registry keys) deleted them.
    I've run CWShredder and it's not picking up any registry keys but the following is still appearing, i presume the CWS references shouldn't appear?:

    ----------------------------------------------
    ----------------------------------------------
    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (734 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (622 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (231 bytes, A)

    --------------------------------------------
    --------------------------------------------
    I've run hijack this and the following is appearing again:
    --------------------------------------------
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    --------------------------------------------

    thanks for your help so far
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The important part is if about:blank is a empty page now.

    You can Fix:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    although I thought AdAware would find that. So check if it stays away.

    The dword:4 entries mean that those sites are in your restricted zone for IE. Most likely put there by some protection program like SpywareBlaster, IE-Spyads etc.

    As the scan says (if value is 2) so it reads dword:2 (which is the Trusted Zone) then you should start worrying.

    Regards,

    Pieter
     
  7. walwinkle

    walwinkle Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    4
    Ok cool, that seems to have done the trick, I will keep an eye on it, it used to appear on my machine about 4 -5 times a day, so if it's fine by the end of the day the I'll presume it's fixed.

    thanks a million, appreciate it, it was driving me nuts.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.