CWS Cameup

I have been trying to get rid of CWS.Cameup. Spybot S&D removes one CWS registry entry but it keeps recurring when I restart the PC. I am using W2k w/ Mozilla on a Dell Pentium IV. I also have Netscape. I am not able to attach logs to this post as the links are dead.

Results of Majorgeeks spyware scan in safe mode:
CCleaner seems to run successfully.

Trendmicro scan won't run. The License agreement flashes by before anything can be entered, and permission is denied.

Symantec Security Check fails with a 'page no longer exists' when I hit start.

AdAware finds and removes 2 CWS entries.

Spybot finds and removes 2 other entries.

CWShredder comes up clean.

Kill2Me comes up clean.

About.Buster comes up clean but slows way down at Sysroot\sys32\winstssv.exe (96%) and stays slow until it finishes.

HSRemove shows 8 entries removed every time.

In normal mode:
Whichever (Spybot, AdAware, or CWShredder) is run 1st finds the CWS entry and removes it. This has no effect on the hijack.

Hijack This sarts scanning and stops with 'Hijack This has generated errors, etc.' and shuts down.

I have logs for what ran in both safe and normal mode, but I suspect I'll have to email them, presuming my email still works.

Any help will be greatly appreciated. Thank you.

 

HJT 1.98 ran as you indicated. I am unable to attach the file via 'Go Advanced, Manage Attachments', the links won't work. Suggestions?

 

I did some HJT 1.98 fixes. I have the log from before that. The 'Manage Attachments' button still won't work. Windows update doesn't work. HJT 1.99 still shuts down. Here's the HJT log from after the fix (fresh).

Edit by chaslang: Inline log changed to attachment

 

I've rerun Spybot, AdAware and Trend u, along with most of the anti-virus stuff you recommend, in the normal mode. AdAware found some 'Alexa' stuff and ccleaned it. I ran Trend u in safe mode and came up clean.

 

Directions followed. HJT 1.99 still crashes, same symptoms. Can't attach files.

HJT Log in safe mode, after fix.


Edit by chaslang: Inline log changed to attachment

 

Excuse me for thinking of this so late. At the beginning of this problem, lo 2-3 weeks ago, I tried to uninstall IE6 unsuccessfully, and in a fit of pique (after installing Mozilla) went into DOS mode and hauled it out by the roots. I have since recanted and reinstalled it.
The problem with the Wupdate icon predates the IE6 removal.

Also, I got a message concerning attrib.exe. When I remove that one it comes back. I tested it it and was able to change and display an XL files attributes without mishap.

 

Ran V3 in safe mode. HJT 1.99 still shuts down w/ same error. I noticed that the HJT O2 nofile entries, and the O16 entries keep returning.

I googled WUPDMGR.EXE, the target for the manual update shortcut. Seems to be the subject of Trojans, though nothing I've run has found anything. I replaced WUPDMGR.EXE, WUPDMGR.DLL, and ATTRIB.EXE from my company laptop using a memory stick. No improvement.

I've noticed that when I delete certain files, they just show up again. I've got Norton System Works 2002. The protection is enabled.
There is a directory in the system root called _RESTORE which I believe is Norton's stock for repair. Whatever, if it contains corrupted copies I'm going around in circles here.

 

I unzipped the new HJT file to C:\HJT and ran it. The error occurs between the 'O16' scan finish and the 'O23 - NT Services' scan start. The scan happens so fast, this is the best I can resolve the timing. The HJT list doesn't scroll so I can't tell if the O23 scan is listing.

The error message is a small dialog box about 380 by 140 pixels. The text 'Program Error' occurs in the left side of the title bar, and a yellow triangle containing an exclamation point appears in the upper left hand corner of the body. Single quotes are mine.

The error text is as follows:

'HijackThis.exe has generated errors and will be closed by
Windows. You will need to restart the program.

An error log is being created.'

The spacing between characters is single except for the filename. Capitalization and punctuation is as appears except the single quotes.
'HijackThis.exe...by' is the 1st line. 'Windows...program.' is the 2nd line. The 3rd line is blank. 'An...created.' is the 4th line.
At the bottom center is a rectangular button with an inner rectangle. The button text is 'Cancel', which appears when the dialog box pops up. After 2 seconds the button text changes to 'OK' and at the same time HJT closes. The dialog box remains until the 'OK' button is clicked.

If I try to start HJT without clicking the 'OK' button I get another dialog box saying 'HijackThis already running.'

Do I have a necessary service disabled?

 

C:\HJT\HJT 1.99 ran in safe mode with the same results as before.

I am using Opera to send this. The MG.com screen colors are correct, unlike IE6, but the 'Manage Attachments' button still doesn't work, along with the text formatting buttons (Bold, etc.).
Why would the 'Submit Reply' button work, but not the 'Manage Attachments' button?

I have a friend at work who claims to have had the Update dysfunction sometime ago. He says he ran a Trojan repair utiity from Microsoft.com that fixed it. He can't remember the name of the bug, so I am doing a site search. Unfortunately the MS site can be somewhat opaque. Sigh.

HJT 1.98 was run in safe mode.

Logfile of HijackThis v1.98.2
Scan saved at 11:08:03 PM, on 2/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT98\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: LastWinDet Class - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: (no name) - {1C834306-9B64-2F93-8555-62550EF27A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - (no file)
O2 - BHO: (no name) - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKCU\..\Run: [Clipomatic] C:\Program Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [WebWasher] C:\Program Files\WebWasher\wwasher.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Winwall Autostart.lnk = C:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Resolution Assistant.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\PrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\PrivacyKeeper.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {00000130-9980-0010-8000-00AA00389B71} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} -
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -

 

HJT1.99.1 ran and eliminated the entries you specified. The site buttons now work, at least in Opera.

I uploaded a before and after HJT log via 'Manage Attachments'. They seem to have uploaded, I should be able to see them when I post this.

The Windows Update icon is still inoperative.

The attachments don't show so I'll try them again.

I can't see the attachments. Let me know if you received them.

 

I'm sending these from my laptop at work. The items you specified seem to be staying fixed. There are suspicious items under O15.
The log files appear to be attached.

 

Sorry its been so long. I removed the HJT O15 entries with no substantial improvement.
I reran the virus and spyware tools as described in the spyware forum. I managed to get everything ran, though I had to run the Symantec scan in normal mode. The spyware tools came up clean. The virus scans would come up with different low threat viruses, which I would remove only to watch others reappear.
None of the removed entries in HJT came back. All of the spyware tools come up clean, with an occasional Alexa cookie.
The problem with the windows update remained, as did the inability to use some of the Majorgeeks buttons. I suspect there was a port open in spite of the firewall.

So, I formatted and reloaded W2k. It turned out to be easier as my system is pretty simple. The final solution.

I wanted to thank you for the help and patience. The HJT 1.98 and 1.99.1 allowed me to get to this point, but I need to be able to trust that my PC is secure.
In my Googling this problem I found mention that occasionally malware itself misfunctions, with unpredictable results. Or it might just have been a file damaged in the process.
Anyway thanks for your help.
Do you close this string or is there something I need to do?