dropper? downloader? small? cws? what?

Discussion in 'Malware Help (A Specialist Will Reply)' started by i say DEATH, Jan 26, 2005.

  1. i say DEATH

    i say DEATH Private E-2

    ok..
    i started getting pop ups from one of my antivirus programs, avast!. its been saying for days im infected with:

    cws_ns3 hijacker
    dropper.delf.3.BE
    backdoor.small.3.BI
    downloader.agent.7.E
    downloader.small.11.BU
    downloader.1stbar.5.BP

    ive downloaded every spyware, antivirus, trojan remover, etc that i can find and even if it does detect anything having to do with anything bad, it comes back as soon as i reboot. sooo heres a log of everything ive done:

    step one:

    stinger: number of clean files: 45795
    security check: safe for all
    trendmicro scan: troj_istbar.ah (deleted)


    step two:

    clean harddrive with CCleaner: done

    step three:

    ad-aware se (ad-aware vx2 cleaner plug-in): clean
    spybot (dso exploit patch): dso exploit (6): fixed
    immunize: complete

    step four:

    cwshredder: not found
    kill2me: has been removed if present
    about:buster: nothing found
    hsremove: 8 items removed

    asquared was used.
    avast, bitdefender, ravantivirus.

    many times things have been removed, to no avail. my homepage and search page are being changed over and over.
    so, this is my latest attempt. here is my hijackthis! log:


    Edit by chaslang: Unrequested inline log changed to attachment. Please follow forum guidelines and read the sticky posts.

    oh, i have also used norton antivirus.
    and here is the location of one of the random trojans:
    c:\windows\temp\tmp23.tmp
    of course the name of the temp file keeps changing.

    if anyone can and will help me, it would be much obliged. thanks.

    DEATH!
     

    Attached Files:

    Last edited by a moderator: Jan 26, 2005
    i say DEATH, Jan 26, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the future, please follow guidelines about posting HJT logs!
    - only when we ask for them
    - only as an attachment to you message


    Note: Your WinXP and IE versions are severely out of date and present a major security risk. After fixing your current problems, you must go to Windows Update and resolve this.

    You must only run on antivirus application. Pick which one you want to keep and uninstall the other. You currently have AVG and Symantec/Norton.

    You also have multiple firewalls installed. You must only use one software firewall application. Pick one an uninstall all others.

    You may also at the point where you are running too many spyware protection applications. This is a burdon on system resources, can cause conflicts, and may actually make cleanup more difficult in some cases. You should uninstall either MS Antispyware or SpySweeper. SpySweeper is actually a better more mature product at this point than MS Antispyware. MS Antispyware has some problems including false positive detections. I would uninstall it for now. Did you buy SpySweeper?

    You appear to have at least the traces of an HSA hijacker.
     
    Last edited: Jan 26, 2005
    chaslang, Jan 26, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After doing what I suggested in my previous message, follow the steps below.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmvel.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmvel.dll/sp.html#28129
    O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr...ll_pre.php

    (file missing)
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) -

    After clicking Fix, exit HJT.
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jan 26, 2005
    #3
  4. asada

    asada Private E-2

    To remove cws_ns3 permanetly first turn off system restore (thats one of the reasons it always comes back) then go to run and type Regedit. Then click these in the following order my computer, Hkey_local_machine, software, microsoft, windows, current version, and finally uninstall. Once there delete all the files that have a name with only two or three letters (this will delete traces even spyware removal programs cannot find). Once they are all deleted restart your computer and cws_ns3 should not come back.
     
    asada, Feb 2, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That's enough of this kind of posting.

    You need to read our sticky threads. All of the above is already covered in many places.

    And just doing that alone will not fix HSA hijacks.
     
    chaslang, Feb 2, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds