Question

Problem 1 - Backdoor Trojan WINPE.DLL, or winpe.dll Problem 2 - CWS_NS3, CWS_NS3 Hijacker, CWS_Yun

Asked by: Martin_Rumpf

Hi

Just signed up to the site in search of a solution to the above named trojan file which is causing problems. I have Norton Antivirus Corporate Edition updated to latest version 7.61.930 scan engine 4.1.0.15. It detects the file with following details:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Backdoor.Trojan
File:  C:\windows\system32\winpe.dll
Location:  C:\windows\system32
Computer:  USER
User:  barry
Action taken:  Clean failed : Delete failed : Access denied

While detecting it, it is unable to either quarantine, clean or delete the file, consequently the above message appears every time I open any program or file. A system search for the file is unable to locate it, and it does not appear in the system32 folder when I looked for it either. I downloaded Trojan Remover and ran it, however it is unable to detect the file.

Second problem which may be related to the first, my Webroot SpySweeper registered version detects Adware files named CWS_NS3, CWS_NS3 Hijacker, and CWS_Yun. It is unable to remove these files. IE has been slowed considerably, and home page is repeatedly reset to:
res://huhkk.dll/index.html#96676
Opening other pages often results in being redirected to the same address

I read a solution to the CWS_NS3 Hijacker problem in the EE category but it is confusing and thought it may be different as it does not contain anything about CWS_Yun. I hope my question is not too broad for you to answer, sorry if so it's my first time here...  

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-23 at 23:36:31ID21069854
Tags

backdoor

,

trojan

Topic

Anti-Virus Applications

Participating Experts
4
Points
50
Comments
31

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HiJack This?!?!
    Is hijack this a legit tool or a hacker's wet dream? I wish I could offer up 10000 points for this. Tryin to find out if it is legit is a son of a bitch!!
  2. Browser "Hijack" ?
    I've tried 50 ways from Sunday to set my default home page. However, every time I reboot my system, and bring up IE6, it brings me into a home page aclled "about:blank" It woud appera that someone or something is hijacking my browser. How do I fix this once and for...
  3. Hijacked by Download Trojan
    Hi All - I am working on a Windows 98 system which caught the Download Trojan. While I can clean up the mess pretty easily, I can not stop the IE6 from from reinserting the infected web site name as the default URL and reinfecting. Any ideas
  4. about:blank Trojan, browser hijack
    hi all, i have the following problem: i think i have the so-called cool search thing, that resets my home page to about:blank and opens a search portal, i have try various solutions including windows update, hijack-this, CWShredder, ad aware, latest norton update, also go int...
  5. Hijack this and spybot
    Hi, Recently had a trojan virus on my system, im running windows xp. My virus scan detected it and deleted it but it keeps coming back. Ive run Hijack this, deleted the lines connected to the virus, and they keep coming back. Ran Spybot and the same happens i just cant shift ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ericpetePosted on 2004-07-24 at 14:10:33ID: 11629608

CWS is truly insidious; see http://www.spywareinfo.com/~merijn/cwschronicles.html for the trials and tribulations of the guy who wrote HijackThis and CoolWebShredder.

It's the only reliable tool I've found to remove CWS.

ep

 

by: LoboPosted on 2004-07-24 at 18:11:46ID: 11630402

Hi Martin,

Question 1 - Run Norton or an online scanner in Safe Mode. You can lookup a current thread on Backdoor.trojan at:   http://www.experts-exchange.com/Applications/Viruses/Q_21063178.html
For links to online scanners and other tools check:   http:Q_20975384.html
If that doesn't work we can try using Killbox, for which I'll need to give you step-by-step instructions.

Question 2 - Again, run CoolWebShredder in Safe Mode. Also, disconnect your machine from the Net before doing it. You may also want to disable System Restore if you have it.

If you still have problems after that let us know for additional instructions.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-24 at 20:24:36ID: 11630589

Thanks all for the help.

To ericpete, I downloaded Coolwebshredder and ran it, but it didn't find anything, and lookindg at its list of CWS files I did not notice the 3 I have: CWS_NS3, CWS_NS3 Hijacker, or CWS_Yun. The latter one can't even be quarantined by Spysweeper while the other two can (albeit ineffectively).
I emailed the creator of CWShredder to let him/her know.

To Lobo, sorry to sound a bit dumb, but I am not sure how to go about running it in safe mode, nor how to disable system restore. It should be said my knowledge of computer technicalities is basic at best. Meanwhile this thing is doing my head in!! I can't imagine why people invent this type of nuisance...

Also, it is redirecting me so much that I couldn't get to the windows update site to download the patches to avoid it in future..Aghhhhhhh!!!

Hope we can solve it.. Thanks

 

by: SheharyaarSaahilPosted on 2004-07-25 at 04:08:29ID: 11631367

Martin_Rumpf,,,,,, Download and run Hijackthis scan >> http://www.wilderssecurity.com/supportfiles/HijackThis1980.exe
and check if u are getting any "O20 : Applnit_DLLs" entry in the last line ??
if YES then here is the solution to this Backdoor Trojan problem !!!!

Actually what the problem is,,,, this file is not present on ur hard drive,,, its actually residing in the Registry,,,,
if u got Start>Run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

in the right pane u will find a AppInit_DLLs entry, and when u right click it and choose Modify, under the Value data, u will see the above file !!!!

and what u need is just to remove it from there to get rid of this message !!!!
for this restart ur system in SAFEMODE, login as Administrator if XP, and follow these instructions carefully !!!!!

=====================================================================================
The key to removing this problem is the registry key called

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
======================================================================================
ref >> http://www.lavasoftsupport.com/index.php?showtopic=32685

after doing the above procedure, run these tools and delete everything they detect !!!( in safemode also)
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================

 

by: LoboPosted on 2004-07-26 at 13:22:02ID: 11641238

Hi Martin,

What version of Windows are you running?

Also, if CSW isn't detecting it then give AdAware a shot. It can also be downloaded from the tools link I posted earlier.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-26 at 16:38:42ID: 11642477

Hi Lobo

I have Windows XP Professional Version 2002 Service Pack 1.

My computer is a Compaq Presario 2700 Notebook. Hope this helps.

Thx, Martin

 

by: SheharyaarSaahilPosted on 2004-07-26 at 16:39:37ID: 11642479

:-o

Martin are u still having the problem ??

 

by: LoboPosted on 2004-07-26 at 19:14:31ID: 11643067

Hi Martin,

Here's how to disable System Restore:

1- Go to Start>Settings>Control Panel>System
2- Select the System Restore tab.
3- Check the "Turn off System Restore on all drives" checkmark.
4- Hit OK.

To boot your machine in Safe Mode you hit the F8 key while the machine is booting (hit it several times.) The machine will display a Boot Mode screen listing several Boot "modes" Select Safe Mode from that list.

Run CSW or AdAware again in Safe Mode. It would be good to run your Antivirus in Safe Mode too, to get rid of the Trojan.

If the problem persists let us know. I'll guide you through a more radical method but only if the conventional tools don't work.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-26 at 19:56:31ID: 11643173

Hi Lobo and SheharyaarSaahil

I managed to figure out start in safe mode by pressing CTRL/ESC during startup, so sorry to bother you with that one.
Then after following your directions Saahil, after some trial and error on my part, the FANTASTIC news is that you were spot on!! The WINPE.DLL is gone. I cannot thank you enough, you are a legend as we say in Australia. Nice work mate!! I am not sure of the rules of the site, ie, whether I am supposed to award points to you, but if so pls tell me how and I will give you as many as possible for your sterling work.

This means that problem 1 of my question is solved. However, after running my fully updated registered verion of Webroot spysweeper, I find that the CWS_NS3 and CWS_Yun bugs are still present with the same immunity to deletion as before. So it appears the two problems are not related.

Now Lobo, I will go back to your earlier advice with regard to the CoolWebShredder in safe mode, although I am not so confident of success as the initial scan when I ran this, as I mentioned, it did not contain the three strains of CWS present on my machine. I will give it a go and let you know what happened asap.

Many thanks to all, Martin

 

by: ericpetePosted on 2004-07-26 at 20:07:15ID: 11643200

Martin,

Glad to hear you got at least part of your problem solved. There are manual ways of removing all instances of CWS, but they involve editing the Registry, and will I feel reasonably confident doing it myself for my computer, I don't feel at all confident about telling someone else how to do it (although both Lobo and SheharyaarSaahil are probably quite capable of telling you what to look for).

You might also want to return to the link I gave you and report the new variants to merijin; he's the guru on CWS, as you know if you read the Chronicles he has written.

When you're problem is solved, you can split the points between the two of them (I'm just a bridesmaid in this thread) by clicking the link above the text box that says Split Points. Be sure to give them As, though -- they've earned them... <grin>

ep

 

by: LoboPosted on 2004-07-26 at 22:10:17ID: 11643502

Hi Martin,

Good!  Backdoor is gone and now we need to take care of CSW.

Please look up your machine for the following file:

C:\WINNT\system32\crou.dll

If you find it then we've got a solution.  Also, make sure you Update your CWS to have the latest definitions in it.  In addition, SpySweeper is supposed to get rid of CWS_NS3. You may want to give it a try. Free download from:

http://www.spysweeper.com/


Hi Ericpete,

Thanks for the vote of confidence. I think we're all here to help, that's what counts. The link to Merijn's Chronicles makes great reading material. The guy is really something.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-27 at 00:46:40ID: 11644111

Hi Lobo

I couldn't locate crou.dll, it doesn't seem to be there. I have a paid registered and up to date version of Webroot SpySweeper, which I ultimately paid to register the full version as a result of this CWS thing. It did not and still does not eliminate the problem even after updating it just ten minutes ago. I have the following now:

1.Adaware 6.0 latest trial version Build 6.181
2.Norton Corporate Edition Latest Updated Version 7.61.930 Scan Engine 4.1.0.15
3.Webroot SpySweeper Registered Paid Latest Version 3.0.0 Build 129
4.Spyware Doctor Trial Version
5.CWShredder Latest Version V.1.59.1
6.Hijack This
7.Spyware Stormer Version 1.4.7
8.Trojan Remover 6.2.8
9.Stinger 2.3.5.0 Build July 26th
10.Webroot Pop Up Washer Trial Version

I checked again on CWShredder after updating and running it, hte 3 strains I have are still not listed on it, that is CWS_NS3, CWS_NS3 Hijacker, and CWS_Yun. After running it, nothing was detected. What to do now?

Your help is appreciated, thank you

 

by: LoboPosted on 2004-07-27 at 14:15:33ID: 11651110

Hi Martin,

Let's try a more radical approach.  First you'll need to download a couple more tools:

KillBox:
http://www.gatesofdelirium.com/ee/KillBox.zip

Registrar Lite:
http://www.resplendence.com/download

Install all three utilities. It would be good to reboot your machine after each installation. Also, it's better to disconnect the machine from the Net while doing this.

After you're done, run SpySweeper. Hit the Update button, we want to make sure you have the latest update.
 *Select your hard drive (C: if you only have one)
 *Select Sweep Memory and Sweep Registry
 *Uncheck "Skip files larger that 100000 kb"
 *Hit "Sweep" and delete whatever it finds

After that:

 *Hit the Active Shield Tab
 *Select “on” for home page shield
 *Enter the home page you want under “protected home page address" (i.e. http://www.experts-exchange.com)
 *Select "Always Notify Before Restoring" (This will produce a warning if a spyware is trying to change your home page addy)
 *Under “Tracking Cookie Shield” select “on”
 *Under “Memory shield” select "on"
 *Hit "Apply"

Do NOT reboot now. Run Registrar Lite. It will create a set of registry bookmarks, that's fine. Now:

 *In the Address bar enter: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
 *Hit GO
 *On the Right panel, double-click AppInit_DLLs. a Data Editor window will pop up.
 *Look on the bottom field titled "Value". There should be a DLL there (or more than one.) Do NOT delete it just yet.
 *WRITE DOWN the full path of this DLL. (Should look something like C:\WINNT\SYSTEM32\abcd.dll with the actuall name being different) You'll need this path later so this is very important.
 *On the right panel, the folder "Windows" (that is highlighted in blue) rename it "NoWindows" (without the quotation marks). This is a temporary change only.
 *Double-click AppInit_DLLs again and this time delete the value containing the .dll and hit OK. This removes the nasty DLL from loading on boot.
 *Rename the "NoWindows" folder back to its original "Windows" name.
 *Close Registrar Lite. Do NOT reboot the machine.

Now comes the part where we kill the DLL completely. Run KillBox.

 *Under "Paste Full Path..." enter the path to the DLL that you wrote down earlier.
 *Do NOT hit Kill
 *From the Action menu select Delete on Reboot. You'll get a small window pop up.
 *Click "File" then "Add File" and hit Exit. If there were more than one DLL when you ran RegLite, then you need to enter all of them into the Add File window.

Now reboot the machine. This should remove that crapware. Remember to run Windows Update afterwards.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-27 at 18:09:32ID: 11652462

Hi Lobo

Not sure if these instructions are possible. The reason being if you read back to Saahil's earlier direction from 07/25/04 to remove the winpe.dll virus,my problem 1,  this involved deleting the very file you have mentioned, AppInit_DLLs. So once I reach the line of your instruction listed below, I cannot go any further, because that file has been deleted already.

*In the Address bar enter: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Not sure if I missed something here though, what do you think?....

I assume that if CWShredder contained the strains of CWS that I have, which it currently doesn't, that would solve it? I am wondering why it does not? Is it possible to contact the creator of that program, I emailed them about it earlier but did not hear back yet.

What to do now??

Regards, Martin

 

by: LoboPosted on 2004-07-27 at 23:58:51ID: 11654006

Hi Martin,

Just so that I understand you clearly; Do you mean that there is no AppInit_DLLs key or that the key is there but has no value attached to it?

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-07-28 at 01:30:34ID: 11654141

Hi Lobo

I deleted it according to the instructions from Saahil, so I mean to say that  there is no AppInit_Dlls key. I just did a search for it, and for sure it is gone.

Cheers, Martin

 

by: LoboPosted on 2004-07-28 at 07:16:40ID: 11656708

Hi Martin,

Gotcha. Shouldn't have deleted that key but it's already done so no point in crying over spilled milk, as my mom used to say. I'm in a bit of a hurry his morning but tonight I'll post you a step-by-step guide to look for DLLs hidden in other locations. We must find that nasty.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-08-04 at 17:16:51ID: 11722068

Hi Lobo

I was wondering if you have any other suggestions about removing the CWS problem as I haven't yet worked it out myself. And I was wondering when I am supposed to reward the points for the earlier information?

Regards, Martin

 

by: LoboPosted on 2004-08-04 at 18:13:18ID: 11722471

Hi Martin,

Sorry for the delay, I got sidetracked and kinda forgot. Sorry!

Okay, here's what we're gonna do. We're gonna take a close look at the Processes running in your machine and look for anything suspicious. For that purpose we're gonna need to download a little helper. Go to:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

and download Process Explorer. It's free and you don't even need to install it. Just unzip to a folder in your Desktop and run it. If you get a message regarding Microsoft support for Symbols you can ignore it. After you open it, you'll see a list of all Processes running in your computer. Go to the File menu and hit Save to create a report in TXT format. You can copy and paste that report here as you did with HijackThis. Let's take a look and see if we can find that baddie.

Good Vibes!

Lobo

 

by: Martin_RumpfPosted on 2004-08-04 at 21:17:08ID: 11723144

Hi Lobo

Here is the information you required.
Also, I have just now detected with SpySweeper new items which it cannot remove. They are as follows:

javaeu32.exe
wings.exe
hbizs
javagw32.exe

I manually deleted the first two, hopefully that wasn't the wrong thing, however they are still being detected. I assume they are all related to the CWS thing, but I notiuced that now the system is running slower.

Hope this helps......Martin



Process      PID      CPU      Description      Company Name
System Idle Process      0      79            
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      4      1            
  smss.exe      556            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      620            Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      644            Windows NT Logon Application      Microsoft Corporation
    services.exe      692            Services and Controller app      Microsoft Corporation
     svchost.exe      872            Generic Host Process for Win32 Services      Microsoft Corporation
      msmsgs.exe      1728            Messenger      Microsoft Corporation
     svchost.exe      972            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1156            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1224            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      1468            Spooler SubSystem App      Microsoft Corporation
     alg.exe      264            Application Layer Gateway Service      Microsoft Corporation
     defwatch.exe      292            Virus Definition Daemon      Symantec Corporation
     rtvscan.exe      332            Norton AntiVirus      Symantec Corporation
      MSGSYS.EXE      1704            CBA -- Message System      Intel Corporation
     javaeu32.exe      492                  
     svchost.exe      540            Generic Host Process for Win32 Services      Microsoft Corporation
    lsass.exe      704            LSA Shell (Export Version)      Microsoft Corporation
explorer.exe      1368            Windows Explorer      Microsoft Corporation
 realsched.exe      416            RealNetworks Scheduler      RealNetworks, Inc.
 vptray.exe      440            Norton AntiVirus      Symantec Corporation
 javagw32.exe      1016                  
 SpySweeper.exe      1028      19      Spy Sweeper      Webroot Software, Inc.
 OLFSNT40.EXE      584            Symantec Fax Starter Edition Port Launcher      Microsoft Corporation
 mozilla.exe      668            Mozilla      Mozilla Foundation
 MSIMN.EXE      1200            Outlook Express      Microsoft Corporation
 WINZIP32.EXE      2832            WinZip Executable      WinZip Computing, Inc.
  procexp.exe      2856      1      Sysinternals Process Explorer      Sysinternals

Process: Procexp Pid: -2

Type      Name

 

by: LoboPosted on 2004-08-04 at 22:31:37ID: 11723342

Hi Martin,

Run Process Explorer again. Double click on the entries for javagw32.exe and javaeu32.exe. You'll see a detailed report of the DLLs that are running them as well as the full path to them. Do not delete them yet but change their extension to .OLD and reboot your machine. Do this for both the EXE files and the associated DLLs. You may need to stop the Processes before doing it. You can stop the Processes with Process Explorer. Let's see if that solves it.

Good Vibes!

Lobo

 

by: LoboPosted on 2004-08-04 at 22:32:45ID: 11723345

One more thing. Write down the name of these DLLs and their paths, as well as any Registry entries for them that Process Explorer reports.

Lobo

 

by: Martin_RumpfPosted on 2004-08-12 at 16:52:27ID: 11789344

I did what you suggested, however in the report I could not see anything about dll's. I changed the extensions to .old and rebooted, but they are still there. I was not 100% sure if I did the right thing or not. I am going to check CWShredder again to see if it has been updated, in the meantime I wonder if you have another idea.
Can we ever solve this??!!!!!!!

Cheers, Martin

 

by: Martin_RumpfPosted on 2004-08-21 at 10:05:08ID: 11859813

Hi Lobo, or anyone of knowledge

Do you know if anyone has any company or other entity figured out a solution for the removal of these confounded CWS problems, as I still have all of them on my computer, and continuously there is new strains of spyware programs being detected by Spysweeper.

Currently I still have the three mentioend above, which the CWShredder program as far as I can tell is completely ineffective in removing them as it only deals with other strains of it.  Whilst the first part of my problem has not re-occured this one is still giving me problems. I would be most appreciative if somebody can help solve this problem once and for all, I can only hope somebody has the answer.

Regards

Marti

 

by: rossfingalPosted on 2004-08-21 at 12:26:33ID: 11860404

Hi!  Martin_Rumpf

At this moment, there are versions of CWS that can not be dealt with by CWShredder (that's common knowledge).
In fact, the creator of CWShredder (as well as HijackThis, among other things) will not be upgrading CWShredder,
at this point (he did it for free) there's time constraints on the person's time (higher schooling), as well as other issues.
It appears your problem has not been solved -
it also, appears that you have closed this question a little prematurely - as you still talk about problems - quote:
"Currently I still have the three mentioend above, which the CWShredder program as far as I can tell is completely ineffective in removing them as it only deals with other strains of it."
Lobo was stearing you in the right direction.
At this point, since you have effectively closed this question - it might be a good idea to post a new question dealing with
the three remaining problems that you refer to above.
However, that is only my opinion!

Good luck and regards to all!
RF

 

by: rossfingalPosted on 2004-08-21 at 13:23:43ID: 11860633

Hi!

Here's a link to the current state of affairs concerning CWS, from the perspective of the
creator of CWShredder:
http://www.richardthelionhearted.com/~merijn/index.html
Just scroll down and read some of his comments.
Just some information!

Regards..
RF

 

by: ericpetePosted on 2004-08-21 at 16:24:03ID: 11861568

Just for giggles and grins, take a look at these links to see if anything clicks for you:
http://www.experts-exchange.com//Q_21042150.html
http://forums.spywareinfo.com/index.php?showtopic=18911
http://forums.spywareinfo.com/index.php?showtopic=20244
http://www.security-forums.com/forum/viewtopic.php?p=111024
http://forums.tomcoyote.org/index.php?showtopic=12636

This guy says he managed to remove CWS_NS3 from a WinME machine:
http://wilderssecurity.com/showthread.php?t=43327

From the spywareinfo.com forum:
"Perhaps I should add CWS_NS3 is the version of Cool Web Search that uses random naming, and can reinstall itself if the uninstall is incomplete (note it can reinstall itself off line). Just so everyone knows what version of CWS we are talking about." (http://www.dslreports.com/forum/remark,10864350)

Hope this helps...

 

by: ericpetePosted on 2004-08-21 at 17:02:19ID: 11861705

There might also be something here you can use:
http://www.experts-exchange.com/Q_21086427.html

ep

 

by: LoboPosted on 2004-08-23 at 09:00:01ID: 11871747

Hi Ross & Eric,

Interesting info by Merijn, that guy deserves a monument or something. Have you tried BuggOff yet? I just downloaded it and ready to give it a test flight... as soon as I finish cleaning up my Inbox from my daily dose of 300+ spams.

>> http://www.experts-exchange.com//Q_21042150.html

A couple months ago I posted a question at Experts Input regarding thread-humping. Several ideas to solve it were passed around but nothing concrete has been done yet. The thread is still open for anyone who may want to add their two cents:

http://www.experts-exchange.com/Community_Support/Expert_Input/Q_21005857.html

Good Vibes!

Lobo

 

by: ericpetePosted on 2004-08-23 at 09:47:36ID: 11872414

Haven't tried BuggOff yet, but I was thinking about it as I reread Merjin's site.

I don't think there's any problem passing related, unresolved questions back and forth; I know EE actually likes it when a question an Expert answered two years ago answers a question that's asked today. I figure that CoolWebSearch is so insidious (I had a version of it once, and it took me over a week to get rid of it permanently) that passing the information around will only help the poor bastards who inadvertently get stuck with it.

I've looked at the Expert Input question you asked as well (I've always seen it called "hijacking"). I kind of like the idea of restricting comments in closed questions to the participants -- it's a comparatively easy fix. But even though I've been a member for a long time, I don't have any special insight into whether EE will actually do something about the problem.

ep

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...