Results 1 to 15 of 15

Thread: CWS.smartsearch.2 problem

  1. #1
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    Angry CWS.smartsearch.2 problem

    after upgrading to latest version of CWShredder (v1.59) i got this....

    You have a variant of the coolwebsearch Trojan (CWS.smartsearch.2) that has attempted to close CWShreadder. To counter this, CWShredder is now starting with a random string of text in the title bar.
    CWShredder is still functioning fine, it has not been corrupted.
    If you feel you should not be getting this error and you are not infected, restart CWShredder and this warning should not appear again.

    even HijackThis freezes... ad-aware, spybot s&d, spywareblaster & a2 free... juz congratulates me!

    i also search (f3) for some known filenames used by this variant provided by spywareinfo e.g. iexplorer.exe, directx.exe but didnt find any. any help pls?

    btw, CWShredder freezes when scanning CWS.Bootconf (juz right after CWS.Datanotary)

  2. #2
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    ...

    ok i got HJ running...

    Logfile of HijackThis v1.97.7
    Scan saved at 4:58:54 PM, on 6/6/04
    Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolss.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PowerLeap Utilities\MTRRAPP.EXE
    C:\PROGRA~1\Agnitum\Outpost Firewall\outpost.exe
    C:\WINNT\system32\RpcSs.exe
    C:\Program Files\WinGate\WinGate.exe
    c:\winnt\system32\pstores.exe
    C:\WINNT\System32\nddeagnt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\SysTray.Exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\AnalogX\FastCache\fc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgemc.exe
    C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    C:\Program Files\IDETOOL\IDETOOL.EXE
    C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
    C:\Program Files\WinGate\wgengmon.exe
    C:\Program Files\AnalogX\MaxMem\maxmem.exe
    C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    C:\Program Files\VitalSigns\Net.Medic\Program\syshook.exe
    C:\Program Files\PicoPhone\PicoPhone164.exe
    G:\_uNDeRsCoRE\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = [_]D
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PatchWork] G:\_uNDeRsCoRE\grc\patchwrk.exe check
    O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [FastCache] C:\Program Files\AnalogX\FastCache\fc.exe
    O4 - HKLM\..\Run: [AVG_EMC] C:\PROGRA~1\Grisoft\AVG6\avgemc.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
    O4 - Startup: AnalaogX MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
    O4 - Startup: AnalogX Time Sync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: PicoPhone.lnk = C:\Program Files\PicoPhone\PicoPhone164.exe
    O4 - User Startup: AnalaogX MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
    O4 - User Startup: AnalogX Time Sync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
    O4 - User Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - User Startup: PicoPhone.lnk = C:\Program Files\PicoPhone\PicoPhone164.exe
    O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
    O4 - Global Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
    O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O9 - Extra button: AdShield (HKCU)
    O13 - WWW. Prefix: http://
    O15 - Trusted Zone: *.1rstwap.com
    O15 - Trusted Zone: *.bluetack.co.uk
    O15 - Trusted Zone: *.catalog.com
    O15 - Trusted Zone: *.catchup.cnet.com
    O15 - Trusted Zone: *.catchup-install.cnet.com
    O15 - Trusted Zone: *.commandondemand.com
    O15 - Trusted Zone: *.deerfield.com
    O15 - Trusted Zone: *.dslreports.com
    O15 - Trusted Zone: *.fsc.follett.com
    O15 - Trusted Zone: *.passport.com
    O15 - Trusted Zone: *.passport.net
    O15 - Trusted Zone: *.pcpitstop.com
    O15 - Trusted Zone: *.seagate.com
    O15 - Trusted Zone: *.sitesupport.us
    O15 - Trusted Zone: *.speedguide.net
    O15 - Trusted Zone: *.sun.com
    O15 - Trusted Zone: *.sygate.com
    O15 - Trusted Zone: *.sygatetech.com
    O15 - Trusted Zone: *.webandemailforwarding.com
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {6BF52A52-394A-11D3-B153-00C04F79FAA6} - http://activex.microsoft.com/activex...n/nsmp2inf.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.0.1
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.0.1

  3. #3
    Have you tried going here to find out what the problem is?

    http://www.spywareinfo.com/~merijn/downloads.html

  4. #4
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252
    tnx Debbie,

    the miniremoval has found it, but im still getting this...


  5. #5
    R.I.P. 2013-11-22 blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,831
    I'm wondering if script sentry is keeping it from running properly? Maybe disable it and try it then.

  6. #6
    This is the first thing I noticed above.



    Try downloading the shredder prog again. Something may have happened when you downloaded it. It is a shot in the dark, but give it a try. I just checked out mine and it is not like that. It says the name of the proggy.

  7. #7
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252
    Quote Originally Posted by blebs99
    I'm wondering if script sentry is keeping it from running properly? Maybe disable it and try it then.
    disabling SS doesnt help

    Quote Originally Posted by Debbie
    This is the first thing I noticed above.

    Try downloading the shredder prog again. Something may have happened when you downloaded it. It is a shot in the dark, but give it a try. I just checked out mine and it is not like that. It says the name of the proggy.
    the image u've inserted refers to this...
    "CWShredder is now starting with a random string of text in the title bar."
    its a feature that prevents the program from getting corrupt.

    i did download another copy it does the same & also tried an older version. i even tried it over another NT workstation, and the proggy is fine.

    tnx

  8. #8
    R.I.P. 2013-11-22 blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,831
    Get this thing below and run it first, then try CWS.

    http://www.safer-networking.org/files/delcwssk.zip

  9. #9
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    ...

    tnx blebs99,

    its in my 3rd post

    Quote Originally Posted by me
    the miniremoval has found it, but im still getting this...

  10. #10
    R.I.P. 2013-11-22 blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,831
    Time to take the problem to either place below then:

    http://forums.spywareinfo.com/

    http://forums.net-integration.net/index.php?

    Tis now beyond my scope of help. Sorry.

  11. #11
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    ...

    juz visited the forums... not the only one with that kinda problem. maybe the next version of CWShredder will fix everything. tnx 4 all ur help

  12. #12
    R.I.P. 2013-11-22 blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,831
    I'm interested to see what is found as the solution as well.

  13. #13
    Second Most EVIL YARDofSTUF's Avatar
    Join Date
    Nov 2000
    Location
    USA
    Posts
    69,929
    i got that when i had an old version open when i opened the new one.

  14. #14
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    ...

    2 the same apps running....i dont think so

    http://forums.spywareinfo.com/index....s\.smartsearch

  15. #15
    Regular Member _uNDeRsCoRE's Avatar
    Join Date
    Jun 2002
    Posts
    252

    ...

    bingo!

    i think i know what's causing CWSShredder to freeze

    the variant CWS.Smartsearch.2 or CWS.Bootconf is creating this new hosts file (hosts.new) = /etc dir. it copies the content of ur original host file (hosts or hosts.sam) with an encrypted script w/c makes spybot, ad-aware & other system updates fail/lost. this hosts.new file is so bloated, file size ranges from 536kb to 1.42mb

    deleting the file is possible but when u run CWSShredder, the file juz resurect itself. so what i did, i edit the original hosts file by deleting all entries & press the space bar to allow saving. this way when u run CWSShredder the variant will fail from copying or modifying anything from it. (i think the variant is recognizing "#" entry to create its script, not really sure)

    now u can put back or create a new hosts file e.g. 127.0.0.1 localhost (w/o placing a "#")



    btw, i also found these files = /drivers folder, not sure if legit

    95xx.bin
    fwdrv.err
    ntinst.exe

Similar Threads

  1. Severe lag problem - @Hom Arlington, VA
    By sfgorman in forum General Broadband Forum
    Replies: 5
    Last Post: 06-25-06, 06:53 PM
  2. Router/Cable modem conflict problem..
    By The Bad Guy in forum Networking Forum
    Replies: 3
    Last Post: 01-18-03, 01:26 PM
  3. Really weird network problem
    By percy in forum Networking Forum
    Replies: 2
    Last Post: 07-02-01, 07:27 PM
  4. Problem problem problem
    By cy in forum Software Forum
    Replies: 3
    Last Post: 06-27-01, 04:30 PM
  5. DHCP problem?
    By gsmarshall in forum General Broadband Forum
    Replies: 1
    Last Post: 01-16-01, 08:25 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •