Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CWS_NS3


  • Please log in to reply

#16
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
my system propertyies has Startup and Recovery and then has things in there and for system failure, it has "Write an event to the system log"

As far as the Trojan thing, I ran it and there weren't any. I have Mcaffee.


I have adaware spybot and spysweeper and have used all three. The item keeps coming back and spysweeper is the only one that seems to catch it but it keeps coming back

Your virus thingy I tried it but it crashed my browser twice.
  • 0

Advertisements


#17
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Logfile of HijackThis v1.98.2
Scan saved at 1:38:51 PM, on 8/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MK Net Work\ZipMail LN\zmailLN.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\netvf.exe
C:\WINNT\system32\apikt32.exe
C:\Documents and Settings\pxc03\My Documents\falundafa\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://neword.com?s
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://neword.com?s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://neword.com?s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xfwzl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Alstom Power NSC
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {824B4D56-5BCF-8393-146E-67DBD7C38C71} - C:\WINNT\syssx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ZipMail LN System Tray add-on] "C:\Program Files\MK Net Work\ZipMail LN\zmailLN.exe" 001
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [netvf.exe] C:\WINNT\system32\netvf.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform...ins/OFMailX.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = win.us.power.alstom.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = win.us.power.alstom.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = win.us.power.alstom.com,us.power.alstom.com,power.alstom.com,alstom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = win.us.power.alstom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = win.us.power.alstom.com,us.power.alstom.com,power.alstom.com,alstom.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = win.us.power.alstom.com,us.power.alstom.com,power.alstom.com,alstom.com
  • 0

#18
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Try this online scanner. Housecall crashes my computer too. Hang in there.

http://www.pandasoft...com/activescan/

Be sure you are viewing hidden files and folders:
http://www.xtra.co.n...1916458,00.html
  • 0

#19
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I still can't tell you what to do on the HJT log, although I have an idea, but you have been hijacked by about:blank
  • 0

#20
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
how do you know that I have been hijacked by about blank, it seems to me it is cws_ns3
  • 0

#21
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Look at the entry:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

Please do not delete anything until someone else comes along to help. I am still in training, but I decided to pitch in because there are so many people out there who need help today.
  • 0

#22
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I wonder if when I clean out the spy with spysweeper if I unplug the computer that will get rid of it
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
It will still be there. Just be patient. I admire your persistence.
  • 0

#24
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
if it is one of those lines in the hijack this, then I can just delete all of the ones I don't think I need don't you think? who knows if that will work though
  • 0

#25
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
is it possible to clean out the cws_ns3? if not, please tell me.
  • 0

Advertisements


#26
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Yes, they will be able to fix your problems. <_<

You don't want to delete some entries. You might take out something that you need. If you've followed all the steps that I've outlined.

1. Making sure you can view hidden files.
2. Running Adaware that is customized.
3. Runing Spybot Search and Destroy (they just updated their settings today)
4. Deleting your temporary files.

You should be ready to have your log reviewed when the staff comes along. This way you're ready to go.

Edited by coachwife6, 20 August 2004 - 01:44 PM.

  • 0

#27
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
how do you customize adaware?
  • 0

#28
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
well, I deleted 20 items out of hijackthis but didn't fix it
  • 0

#29
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file following these instuctions. (and you must always do this before you run the program at any later date).

Now do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
  • 0

#30
bondzai

bondzai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Thanks,

I did it and while it found a few little things, the CWS_NS3 is still there as reported by Spy Sweeper.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP