Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help on CWS_NS3 and Trojan Horse: Spooner-A

Started by webber , Feb 09 2005 08:28 PM

  • Please log in to reply

#1
webber
Posted 09 February 2005 - 08:28 PM

webber

    Member

  • Member
  • PipPip
  • 10 posts
I scanned my computer using SpySweeper and I keep getting this adware and virus. Can anybody help to remove this? I need help please.... :tazz:
  • 0

Advertisements

#2
admin
Posted 09 February 2005 - 11:56 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Click the HijackThis Guide in my signature, download it and follow the recommendations in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
hol6min
Posted 16 February 2005 - 12:26 PM

hol6min

    New Member

  • Member
  • Pip
  • 1 posts
someone please help me with this :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 19:21:19, on 16.02.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programfiler\Apoint2K\Apoint.exe
C:\Programfiler\TOSHIBA\TouchED\TouchED.Exe
C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Programfiler\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programfiler\Apoint2K\Apntex.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Programfiler\TOSHIBA\TOSHIBA-kontroller\TFncKy.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Programfiler\Big Planet\BP Internet Security\BPInternetSecurity.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fredrik\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Fredrik\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Programfiler\TOSHIBA\Free Update Service\splash.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Fredrik\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8C92275C-442C-474D-8006-B0CD008BA96A} - C:\WINDOWS\System32\jejo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programfiler\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programfiler\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe -close
O4 - HKLM\..\Run: [BP Internet Security] C:\Programfiler\Big Planet\BP Internet Security\BPInternetSecurity.exe /minimize
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Fredrik\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programfiler\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Programfiler\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O18 - Filter: text/html - {D486ED97-F977-4077-A11F-2108FDA55439} - C:\WINDOWS\System32\jejo.dll
O18 - Filter: text/plain - {D486ED97-F977-4077-A11F-2108FDA55439} - C:\WINDOWS\System32\jejo.dll
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Programfiler\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect WD Service - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
admin
Posted 17 February 2005 - 06:23 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

  • 0

#5
keiosterfest
Posted 18 February 2005 - 08:37 AM

keiosterfest

    New Member

  • Member
  • Pip
  • 1 posts
I have/had (not sure is it really gone) this virus and I used this tutorial and for now 10 minutes there hasnt been new alerts.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP