Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cws.about blank + easyseach malware?


  • Please log in to reply

#1
mbco2001

mbco2001

    New Member

  • Member
  • Pip
  • 2 posts
Hey guys (and girls) Im having a problem with what I believe to be adware. This is only my 2nd day on my new custom built pc and Im starting off on the wrong foot. I've yet to install Norton Internet Security...

While visiting some random website via internet explorer today, I get a quick popup that looks like it loads something really fast, then closes itself, then pops up another window. Anyhow, now everytime I open Internet Explorer, I have bookmarks that read "Only Sex website" and "seven days of free p***". There is also a folder under the bookmark area titled "Sites about" which contains well over 20+ sites ranging from insurance to loans. I downloaded and installed Panda's Trial version of "Panda Platinum 2005 internet security" and it has had numerous alerts such as

adware/cws.aboutblank
Location:
e:\windows\system32\mfcrh32.exe

adware/cws.aboutblank
location:
e:\windows\system32\sysxk32.exe


It has stated they have been neutralized but each popup contains a different file. It has also had popups containing an "easysearch" adware and one file it listed was gdgsh.dll

Another problem this seems to be causing is within AOL instant messenger. I can open AIM but as soon as I double click a name to send an instant message, AIM locks up. Same as internet explorer goes - I can navigate around but as soon as I try and close IE, it hangs.

I have tried running CWshredder in both safe and normal mode (the normal mode attempt was scanning then all of a sudden my pc restarted). The safe mode attempt found nothing. I have browsed around the forums reading other posts and have tried numerous programs such as Hijackthis (will post a log in a bit). I have downloaded onto my pc Regsrch, aboutbuster and cwsremove9x all of which we ran in safe mode. Ad-aware was also ran in same mode and found both of these adware's, and claims to have fixed, yet I still have the same problem in normal mode. The hijackthis log is below.


_____________

Logfile of HijackThis v1.99.1
Scan saved at 5:47:32 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\program files\powerstrip\pstrip.exe
E:\Program Files\PerSono\perstray.exe
E:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\alg.exe
E:\mIRC\mirc.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
E:\DOCUME~1\Geno\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\gdgsh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\gdgsh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\system32\gdgsh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\gdgsh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\system32\gdgsh.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8D24EEA0-CCFD-2662-E69E-084B8B29DD85} - E:\WINDOWS\sdkwk.dll
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nTrayFw] E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [PowerStrip] e:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SCANINICIO] "E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [iexplore.exe] E:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: app_filter - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - E:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 6Q' - Unknown owner - E:\WINDOWS\system32\mfcrh32.exe (file missing)




___________________________


If there is any more information I can provide to help you guys help me, please let me know This is very dis-heartning on only my 2nd day on my new custom pc.
  • 0

Advertisements


#2
mbco2001

mbco2001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Just an update:

I've run About:busters, hijackthis, cwshredder all in safe mode, on both administrator and my profile account, and both appear clean.. Yet I still have random "lags" and sometimes Internet Explorer wont find a webpage, but when I hit refresh, sometimes it'll come up quickly.

While opening CWSshredder in Normal mode, I got a popup from it saying cws.smartsearch.2 was trying to prevent it from running... Yet nothing is showing up on the scans..

Through previous HJT logs, the .dll that was registering the spyware/adaware was sdkwk.dll but even after reboot into safe mode with enable all files + hidden files, I could not locate this file.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP