CWShredder can't fix it [Archive] - The PC Guide Discussion Forums

View Full Version : CWShredder can't fix it

Pom Pom

05-04-2005, 04:05 AM

Hi everybody,

First I am very impressed by your forum and how fast you are solving problems. You will notice my english is far from perfect, so I hope you can understand anyway.
I am not able to use Norton Antivirus anymore, problem with Liveupdate and Windows update is unreachable with internet explorer. I used CWShredder and found few problems CWS.Smartsearch and CWS.HiddenDLL. After removal they are coming back the next reboot.
Thank you for your help

Logfile of HijackThis v1.99.1
Scan saved at 6:40:28 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\osrwin32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Van Oudenaaren\Desktop\virus cleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

Pom Pom

05-04-2005, 06:22 AM

Thanks to Steve and his link Pacman's Startup list ! I found the problem in 2 04 entries and it was a Trojean removed with FxBeagle removing tools
Thank you to all for this fantastic forum

All the best

Budfred

05-04-2005, 11:22 PM

I am not sure what you fixed, but there are some things in your log that need attention... Please open and HJT scan and put checks by:

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe

I also suggest fixing this one... It is part of MS Office and it will eat up a lot of resources to save you a few nanoseconds when you do a search... You pay in lost time every day for those few moments...

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Then close all open windows except HJT and click Fix checked...
C:\WINDOWS\System32\winshost.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\osrwin32.exe

If you can't find or delete any of them, open HJT again, go to Config and then to Misc Tools and use the "delete on reboot" option to enter the whole location and file... Click through to close HJT and reboot... Please note if you are still having any problems when you post back....
Find and delete:

Pom Pom

05-05-2005, 05:47 AM

I followed step by step your advices. Problem solved. Here is the new log. I have reinstall Norton and run windows update. Everything seems fine except CWShredder still finding after reboot "CWS affiliate: Toolband"

Thank you so much for all the time you spend to help people like me. I really appreciate.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:51 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\Van Oudenaaren\Desktop\virus cleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Budfred

05-05-2005, 08:38 AM

Your log looks clean... Are you letting CWShredder fix the thing that it finds?? If not, do so....

Also, it may be worthwhile to run a deeper scan to see if there is still something there causing that to show up....

Try running an MWavScan... It will produce a log in the lower right hand corner and you will need to use Ctrl-C to copy the bottom part of it that has the bad items and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Pom Pom

05-06-2005, 03:28 AM

1 - CWShredder couldn't delete "CWS affiliate: Toolband" but Spyboot did it
2 - here is the log from MWavscan, it seems some job need to be done ...

File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "altnet Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\1374468.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\326593.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\562890.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\621531.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sa_exe.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sm_exe.exe infected by "Trojan-Dropper.Win32.Agent.ki" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sm_exe.exe.dll infected by "SpamTool.Win32.Maniac.a" Virus. Action Taken: No Action Taken.

Budfred

05-06-2005, 08:20 AM

Yes, some cleanup does need to be done.... Please download KillBox and reboot to Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the menu) and set it up to run... Use it to Rename and Delete on Reboot for each of these... Copy/paste them into the diaglogue window:

C:\WINDOWS\1374468.exe
C:\WINDOWS\326593.exe
C:\WINDOWS\562890.exe
C:\WINDOWS\621531.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\sm_exe.exe
C:\WINDOWS\sm_exe.exe.dll

Then reboot... Run a fresh MWavScan and post it here along with a report on how things seem to be going...

Pom Pom

05-06-2005, 05:18 PM

It looks better, what do you think ?

File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "altnet Spyware/Adware" Virus. Action Taken: No Action Taken.

Budfred

05-06-2005, 11:13 PM

The Alexa settings get reset by IE, so they can be fixed by Spybot, but they will come back anyway if you use IE...

Altnet is usually installed with Kazaa... Check in Add/Remove Programs for any evidence of it and remove it if you find it...

Otherwise it looks like you are okay as long as you aren't having any more problems... If you are not having any more problems, you really need to update WinXP to SP2 as soon as possible... Don't do it if you still see evidence of infection... If you do it, please post back with a fresh HJT log and report on how it went....

Here is my prevention speech to help avoid future problems:

This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://www.computercops.biz/postlite7736-.html