CW Shredder problem
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: CW Shredder problem

  1. #1
    Member
    Join Date
    Jan 2004
    Posts
    81

    CW Shredder problem

    Hi,

    I'm having a problem opening CWShredder and was wondering if you could help. I'm sure it said the first time that i have a variant of Coolwebsearch but now it doesn't come up and the thing won't load. It said that it was opening under another name but that failed and now all i get is :

    Hosts file not present
    Found Win.ini file: C:\WINDOWS\win.ini (8029 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2165 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    Anyway i thought i'd run Hiijack this and it would be ok, but i can't find anything. My PC is seriously slow and i think i've already deleted everything i can so there's hardly anything there, this is what i've got : (is there anything that looks wierd here? I can't see anything. Oh, i've ran AVG, Spybot and Ad-Aware too but they don't get anything apart from a DSO exploit now and then in Spybot, maybe that's it actually, because it keeps returning.)

    Logfile of HijackThis v1.97.7
    Scan saved at 07:33:54, on 26/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www.karoo.co.uk:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\PROGRAM FILES\CLEANMYPC POPUP BLOCKER\CLEANBHO.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\PROGRAM FILES\CLEANMYPC POPUP BLOCKER\CLEANBAR.DLL
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab



    I've already searched through some threads here but the problem seems to be different, or a variation/mutation of the same thing. Just one thing i don't get :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    Why is this running twice all the time?

    Any help with these two things would be brilliant, and sorry if this is something that's already been dealt with here before, i guess i'm just looking for a few places in the registry that i can search for this thing.

    edit >>> sorry, i forgot to add : i've downloaded smartkiller aswell but when i open the folder and click on it a box comes up and says that it can't be found on my system.
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  2. #2
    Member
    Join Date
    Jan 2004
    Posts
    81
    Hopefully this will help if you can't see anything from the first post. I ran a program called StartupList and here's the results :

    StartupList report, 26/06/2004, 08:30:24
    StartupList version: 1.52
    Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\MIXER.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\MY DOCUMENTS\STARTUPLIST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    CnxDslTaskBar = C:\WINDOWS\SYSTEM\CnxDslTb.exe
    SmcService = C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    LoadQM = loadqm.exe
    C-Media Mixer = Mixer.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    SmcService = C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 26/6/2004, 7:46:46)

    [rename]
    NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
    CleanMyPC Popup Blocker - C:\PROGRAM FILES\CLEANMYPC POPUP BLOCKER\CLEANBHO.DLL - {7A9BC6B1-7F27-47c6-A66D-13582E81E537}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = https://download.macromedia.com/pub/...sh/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL



    There seems to be some wierd stuff there. Also, my computer keeps freezing for a few seconds every so often and i can hear something running, then it just goes back to normal, it's strange.
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I would suggest that you go to http://www.spywareinfo.com/~merijn/cwschronicles.html and download the latest copy of CWShredder. Also read the notes on the various varients of CWS that are listed down the page. They also give you the Hijackthis entries that need to be removed.
    We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc. Take a look at this snippet from the description of the Java.Shinwow trojan:

    This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
    The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.

    We strongly recommend you install the patch, available from this MS security bulletin. If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Information on removing the MS Java VM completely and replacing it with the newer, safer Sun Java VM can be found here.

    An a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their malware. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.

    In general, it's a good idea to keep your system up-to-date from WindowsUpdate!!

    It has also been confirmed that 'Index.dat Viewer' changes your IE search pages to superwebsearch.com, a CWS affiliate page, after installing it. Uninstalling Index.Dat Viewer will not restore your search pages.
    Also:
    Normal form, will work for most people:
    Download http://www.merijn.org/files/CWShredder.exe

    If you get a message saying 'A required dll, MSVBVM60.DLL, was not found', install this first:
    Visual Basic 6 runtime libraries from Microsoft

    If you can't or won't download bare executables for some reason, try this link to the zipped version:
    Zipped version of CWShredder

    If you get a virus warning for W32/Generic.worm!p2p, try this link instead:
    Unpacked version of CWShredder
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Hi

    First Regarding that DSO Exploit.......It shouldn't be much of a Worry...if your OS is Patched up....DSO exploit Patch was avaliable i think way back in 2002.....I too get that DSO Exploit everytime i ran Spybot....until i set Spybot to ignore it...

    If all your critical updates are installed you are protected against DSO Exploit and you can eliminate the annoyance of DSO Exploit reappearing each time you scan this way:
    1. Open Spybot and select 'advanced' mode.
    2. Select 'settings' in the left column.
    3. Select 'ignore products' in the left column.
    4. Select 'security' tab.
    5. Place a check mark in the box beside 'DSO Exploit'.
    6. Exit Spybot.
    7. Restart Spybot and run a scan.



    For More Information on this Read this

    If CWShredder is not running ..it might be bossible something have corrupted or stopping it from running...try Running you computer in safe more and then run the CWShredder.....you can also download the new verson of the CWShredder the latest verson v1.59.0.. and then run it in the safe mode...


    and i am not good at reading these Hijackthis logs ..

    --Good Luck--

  5. #5
    Member
    Join Date
    Jan 2004
    Posts
    81
    Thanks for your help but i've already tried downloading CWSredder a few times and i get the same problem. Also tried safe mode and it didn't make any difference. I'm on windows me, don't know if that makes any difference but i'll keep trying with it anyway. Maybe if i disable the JVM that will help but i'm not sure about what it will do to other things in the OS.
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  6. #6
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    CWShredder or HijackThis closes immediately after opening?
    There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
    If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).
    Try this solution. Go get the file here: http://www.safer-networking.org/files/delcwssk.zip

  7. #7
    Member
    Join Date
    Jan 2004
    Posts
    81
    Thanks, i just did though and when i tried to open it it said :

    CoolWWWSearch.SmartKiller (v1/v2) has not been found on your system.


    Whatever spyware/hiijacker/virus this is it's good at doing it's job!
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  8. #8
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    interesting. How much do you know about your system? Try rebooting in safe mode, logging in as Administrator, and go through your directories. Delete any folders/files that shouldn't be there. You'll also find VB files in your Windows directory that are booting up with windows. Delete those. go to Start>RUN> msconfig and check whats starting up with windows, I think its the last tab on the top. There you'll find a list of stuff that is starting up...the spyware might be there as well, and it will tell you where its located. Go to its location and try to manually delete it. If it doesn't let you delete because its write protected, try renaming it compoletely to something stupid "asdsadfasf.txt" reboot in safe mode again and then go back to delete it.

    Hope it helps.

  9. #9
    Member
    Join Date
    Jan 2004
    Posts
    81
    I don't really know much about computers, i've only had one about 10 months but i'm trying to learn more all the time. I just don't know where to start sometimes, especially when the registry is as big as it is. One thing i have noticed is that when i go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft in the registry, there's a few things there that look odd. You got me thinking about it when you mentioned Visual Basic, i saw that on the Merijn page it says that you need Visual Basic 6 for CWShredder to work and after installing it three times there still no key for it. I get Visual Basic, Visual Basic 4.0 and Visual Basic 5.0.

    I don't know whats booting up with windows though because it doesn't say Visual Basic anything in any startup stuff i have, unless i've missed it.

    With MSConfig, when i go to startup i get :

    SpySweeper
    TaskMonitor
    SystemTray
    LoadPowerProfile
    CnxDslTaskBar (Modem)
    SmcService (Sygate Firewall)
    LoadQM
    C-Media Mixer
    LoadPowerProfile (again for some reason)
    Scheduling Agent
    Avgserv9.exe
    Smcservice (Sygate again too)


    I don't know what some of those are especially LoadQM, but anyway i'm about stuck now and am wondering where Visual Basic 6 is to actually run CWShredder, which was running fine for weeks and then just stopped working. If anyone really knows about this stuff i've got something called PV by Shadowwar that finds loads of stuff that's running with IE, i just left it for the moment because i don't want to be posting list after list if it isn't going to help.
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  10. #10
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Here you can get the runtime libraries: http://www.softwarepatch.com/windows/vbrun6.html

    You do not need Visual Basics 6, just some dll files from it pretty much. If the required DLL is not in the SP6 package, which is the one mentioned in the link above, google for the rest of them.


    in MSconfig, if you expand the directory path, you can see where the file is located. If its not something you installed or you use, just delete it. Disable anything that you are not using...such as the scheduling agent, loadpowerprofile, loadqm, media mixer....just get rid of all the **** you dont need. You don't need a program you've installed to search for updates every single day.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •