CWS malware [CLOSED]

I read many of the postings on this topic before attempting this. Went throught the "malware removal forum rules" first .... the CleanUp, anti ad-ware, spy-bot, cws shredder, viruses/trojans, downloaded AVG and scanned (came up w/ and 'quarantined a few trojans), windows update (restart), then the HiJack This.

IE still seems to be controled by that about:blank bs and i've been getting a lot of script errors that just dont seem to want to go away.

I'm relatively new to highspeed ... had it for years @ work but just now came around to getting it @ home a few months back .... already had to restore the OS once just a few weeks ago and now this!! Don't think I missed a step ... tried to follow directions explicitly but I've been at this for sevaral hours now and it's late/early so I may have missed something ...

Any recommendations of what to check and fix would be much appreciated .... if indeed that is my next step. Even if you can't help me fix this, based on all the stuff i've found and removed it seems to be a step in the right direction so thanks either way. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:47 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\wincf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1133460101\ee\AOLHostManager.exe
C:\WINDOWS\sdkhf.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1133460101\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1133460101\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133460101\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll
O2 - BHO: Class - {585E345B-E5D7-B9B1-5671-2E08508183C0} - C:\WINDOWS\system32\crso.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133460101\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ntuq.exe] C:\WINDOWS\ntuq.exe
O4 - HKLM\..\Run: [vsx] C:\WINDOWS\vsx.exe
O4 - HKLM\..\Run: [wincf.exe] C:\WINDOWS\wincf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134214586265
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A9D7BE0-3632-4EE1-A0B3-FA91826EACCE}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.u...tion=view&id=34

2. You have a CoolWebSearch infection.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

3. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll
O2 - BHO: Class - {585E345B-E5D7-B9B1-5671-2E08508183C0} - C:\WINDOWS\system32\crso.dll
O4 - HKLM\..\Run: [ntuq.exe] C:\WINDOWS\ntuq.exe
O4 - HKLM\..\Run: [vsx] C:\WINDOWS\vsx.exe
O4 - HKLM\..\Run: [wincf.exe] C:\WINDOWS\wincf.exe

4. Delete the files. (if present)

C:\WINDOWS\system32\javaov32.dll
C:\WINDOWS\system32\crso.dll
C:\WINDOWS\ntuq.exe
C:\WINDOWS\vsx.exe
C:\WINDOWS\wincf.exe

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

6. Post a new Hijackthis log here in a reply.

#1
TheDude

Posted 10 December 2005 - 06:43 AM

Advertisements

#2
therock247uk

Posted 10 December 2005 - 04:12 PM

#3
therock247uk

Posted 15 December 2005 - 09:06 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us