Jump to content


Photo

Succesful Removal of CWS.SearchX


  • Please log in to reply
34 replies to this topic

#1 acomputerpro

acomputerpro

    Computer Talk Show Host from KVTA.COM

  • Full Member
  • Pip
  • 15 posts

Posted 26 June 2004 - 10:43 AM

Hello. I am A Computer Professional and host of A Computer Show on KVTA Radio in Ventura CA. I just spent the past 48 hours trying to remove CWS.SearchX aka Troj_StartPage.sp and BackDoor.Agent.BA

Here is my info:

6/24/04-6/26/04

Eradication of CoolWebSearch "CWS" variants infecting computer due to
the following conditions present at the time of infection:

“This is a growing family of Trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

The variants of this Trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.”

JAVA VM was removed, SP1 was left intact and Sun Java was installed per the information below:

If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Remove the MS Java VM completely and replace it with the newer, safer Sun Java VM.

As a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their MalWare. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.

Complications in removing CWS.SearchX described below by Kephyr.com:

Overview
Searchx BHO is implemented as a browser helper object and redirects your Internet Explorer browser to search.cc. If you make a search at searchx.cc, the results will be displayed at cx.linklist.cc. Searchx BHO uses random file names and class ids.

Files
[random].exe

Uninstall procedure
Unknown

The following posted information worked for removing CWS.SearchX on some infected computers, but I needed to also do the step in the final paragraph:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

On this computer, there was in infected .dll file in the Windows\System32 directory called wdmdpi.dll which was detected by Grisoft AVG (Installed) and not Norton or McAfee. AVG reported the infection as BackDoor.Agent.BA. A review of this directory in Windows showed no such file exists. Numerous posts in various online message boards criticized Grisoft AVG for reporting false information. The complete opposite is true. The file did exist and was the Trojan itself. It was discovered by using the Microsoft Windows Recovery Console, and manually deleted. The operating system was secured and the Trojan was eradicated.


A Computer Professional
www.acomputerpro.com

#2 skirac

skirac

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 June 2004 - 12:19 PM

whew, simply amazing, thanks a bunch.

#3 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 26 June 2004 - 02:41 PM

acomputerpro,
Many thanks for your post and I will copy/paste it to my pc.


I was wondering, if you tried "CWShredder v1.59" first,
http://www.soft32.co...load_19014.html
because it would have been a good opportunity to test CWShredder's efficiency.

I guote :
"CWShredder
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.

This tool will find and destroy all traces of the CoolWebSearch (CWS) hijacker on your system. This includes:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all"


If other members have experiences with CWShredder, please cut in

ErikAlbert
ErikAlbert
Simplicity is always brilliant.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 June 2004 - 10:49 AM

To erikAlbert, just cutting in to let you know my experiences of CWShredder v1.59
versus about:blank CWS variant. It is listed on the shredder but when I ran it after being infected with about:blank it told me it had removed it but it had not, and after that could not detect it. Thats not to say I do not respect it as a program, it got rid of 'coolsearch' after I nearly had a breakdown trying to kill the thing, along with several other CWS variants (including very recently one in Windows Media Player) that no other programs seem able to detect.
But in my experience its not infallible.
I got rid of about:blank by editting it out of HKEY current users and HKEY local machine, re-entering the home and start pages and default pages that I wanted, using the Spywareblaster homepage tools to edit back to my own pages too, then downloading Explorer 6 update from microsoft and the biteverifier patch, in fact every sucurity update that looked relevant. Did this all in one go, running AdAware
inbetween and deleting infected keys and values, the whole procedure had the effect of re-installing the proper default, home, start pages and search assistant, and they have stayed installed and uninfected since. But I had to do much of this over and over cos if you stop at any point (i found out eventually) all the values revert to CWS ones. I'm no expert by the way, but if you have a working knowledge, and are stubborn enough and careful not to do any harm, I've found you can beat these things eventually. :D
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 luther

luther

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 June 2004 - 12:58 PM

You the man ;D ;D ;D

#6 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 27 June 2004 - 01:03 PM

jedi,
Many thanks for your input.
That's the kind of info, I'm looking for and forums are a good source.
As I said before in one of my few posts : none of these softwares are perfect.
Don't you worry about not being an expert, working experience is good enough for me.

I hate the word "expert". I met too many so called experts at my job, who couldn't solve my and other's problems.
If someone calls himself an expert I get suspicious already. Most of them have just a big ego.
Trust me, real experts are like diamonds, very rare, hard to find and hard to get.
A real expert knows EXACTLY what he is doing and will solve your problem, in stead of "trying" and "guessing" over and over again to solve your problem.
ErikAlbert
Simplicity is always brilliant.

#7 acomputerpro

acomputerpro

    Computer Talk Show Host from KVTA.COM

  • Full Member
  • Pip
  • 15 posts

Posted 27 June 2004 - 01:14 PM

Hello to all who I have helped by my posting. This is my second attempt at a follow up reply post, since I had just typed one and lost the whole thing. I'll explain how that happened at the end of this post. It's a good lesson.

I did try CWS Shredder v1.59 and although is does detect and remove CWS.SearchX, it cannot remove the associated Trojan that is placed in the Windows\System32 folder. This is the randomly named file that causes re-infection.

I find it fascinating that the Trojan file is invisible through Windows Explorer, even when folder options are set to show hidden and protected operating system files. I am happy that Grisoft AVG found that Trojan file and amazed that Norton AV and McAfee did not. What's up with that?

Being a computer consultant and radio talk show host aware of security issues, it is my humble opinion that things are only going to get worse for Windows/IE users because of all the security flaws. I like the way Service Pack 2 improves security, but it makes web surfing a lot more thinking and labor intensive. Everyone who is now being victimized by MalWare is going to be better protected, but more confused. Think about the poor computer users who think their monitor is their computer and their computer is their hard drive.

Now, here's how I lost my first reply. As I was poking around for the proper terms like "hide protected operating system files," I noticed that I had not re-checked the box since my problem yesterday. When I did so, it refreshed this IE window and the contents disappeared. Doh!

-gj (A Computer Professional)
A Computer Show on AM 1520 KVTA

www.acomputerpro.com

#8 yovargas

yovargas

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 01:52 PM

I've also been hit by this CWS thing and am failing miserably in trying to get it off my computer. I got CWShredder but it hasn't done a thing for me. When I ran it again today, the program shut down half way through scanning. When I reopened it, it said that a variant called CWS.Smartsearch.2 had closed it down. Now CWShredder won't scan at all for me so it's useless.

I tried getting the MS Updates but for some reason it wouldn't run which is what I was hoping to get help with. Sorry if this sounds ignorant but when I try to run the upgrade, the "Windows XP Service Pack 1 Setup Wizard" tells me that I have a dll called "wmmres.dll" running and that it can't continue until I close the app using it. I can close everything I have running and it still thinks the dll is open. I haven't a clue as to why it thinks that, so I gave up and can't get the upgrade. But from the sounds of it I'm not even sure if getting the upgrade will help me.

What should I be doing to get rid of this nuisance? Any help would be much appreciated!

#9 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 27 June 2004 - 03:27 PM

yovargas,
As you can read in this topic and other topics, CoolWebSearch is a very nasty one with alot of variants and hard to remove completely.

1. CWShredder.exe isn't efficient enough to remove it completely.

2. Bazooka Spyware Scanner detects CoolWebSearch, but doesn't remove it automatically.
At this website you can find instructions to remove it manually.
http://www.kephyr.co...source=appvisit

3. AVG 6.0 is also a good tool.

4. This website is also very good
http://www.spywarein...chronicles.html

5. A google search with "CoolWebSearch" will help you too.

I guess you have to do it yourself, like "acomputerpro" and "jedi" did and it will take some time to remove it manually.
In stead of losing all that time you can backup your personal files and reinstall your pc from scratch. Your choice

ErikAlbert

Edited by ErikAlbert, 27 June 2004 - 03:33 PM.

ErikAlbert
Simplicity is always brilliant.

#10 yovargas

yovargas

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 04:32 PM

Thanks for the links ErikAlbert. I figured I'd have to figure out a manual way to do it. But does anybody know if my problems getting the SP1 upgrade is or could be caused by CSW or is it an unrelated issue I have to solve?

#11 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 27 June 2004 - 04:57 PM

yovargas,
I can't give you a good answer on that.
I have win2000pro and my Windows Update works fine and I guess Windows Update of winXP shouldn't be a problem at all.
Of course your Internet Explorer is infected by CoolWebSearch and that could be the problem, because your Windows Update uses Internet Explorer.

In your case, I would download Mozilla Firefox (another internet browser) and use this browser as my default browser.
Try to update your winXP via this browser.
I don't know if it works, because I have no experience with it.
I can try it for you, if you want me to do it.
ErikAlbert
Simplicity is always brilliant.

#12 yovargas

yovargas

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 05:24 PM

Hm, maybe we're talking about different things. I'm using Mozilla as we type (it is my default) but you only need the browser, as far as I know, to download the patch, which is what I did. It's when I run the patch that I'm getting this error. Seems very weird to me. I don't know if anybody here can help (I haven't heard of anybody else with CWS having this problem yet) but perhaps someone can point me to a place that might be able to help?

#13 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 27 June 2004 - 05:32 PM

yovargas, in that case you better wait for someone else, who knows more about it.
Besides I don't like to help someone, if I'm not really sure about it.
ErikAlbert
Simplicity is always brilliant.

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 28 June 2004 - 12:17 PM

ErikAlbert, thanks for your reply.
I only ever try to speak from experience, its the best kind of knowledge. glad to exchange info, these forums are worth pure gold for that.

Yovargas,
Using microsoft update I have got many error notices many times, I found using different links to their pages sometimes helped. haven't ever worked out why this happened but when I kept trying I managed to download in the end, e.g. the link from 'my computer' - 'control panel' - 'windows update' seemed to work better that the one on my 'internet favorites' for some reason.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 mnosteele

mnosteele

    Dr Tweak

  • Full Member
  • Pip
  • 22 posts

Posted 29 June 2004 - 10:38 PM

Great information acomputerpro :D, I have come across this many times as well and AVG is the only antivirus app that recognizes it. AVG cannot remove it though, this is because it is actually spyware and not "technically" a trojan and AVG's definitions don't know exactly what to do with it. In any case here are the instructions I have put together on my forum, it may come in handy as well:

To manually remove a file do the following:

First try renaming the file extension, for example if it is a dll file rename the .dll extension to .txt then try deleting it. If that does not work then you need to "take ownership" of the file/folder and then you can delete it. First I suggest making a new folder and moving the file into this folder. Then read How to take ownership of a folder in Windows XP. Once you follow the instructions in that link you will be able to right click on the file/folder and delete it.





:thumbsup: :cool:

#16 subQuark

subQuark

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 06:57 AM

thanks acomputerpro, your technique seems to have allowed for the removal of trojan.win32.startpage.ix1(dll) on my machine!

and thanks to the team that built and runs this forum! :-D

#17 shayweb

shayweb

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 01:43 PM

I am a systems manager for a small company and have been using CWShredder(latest), Spybot1.3, Spywareblaster(latest), HiJackThis(latest) and Pest Patrol(latest).

CWS has been effective for me but I open the program and then go to Task manager and end iexplore.exe and explorer.exe since CWS attaches itself to these processess.

"My biggest problem with end user systems, is "ISTbar" , "iGetNet", and "allwebsearch".

Edited by shayweb, 30 June 2004 - 01:44 PM.


#18 patsfan

patsfan

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 03:27 PM

Hmmm,

Could you please read the next post, virus ilxyk and see if you believe your post and fix looks like it would clean the virus ilxyk problem. It sounds very close but slightly different.

thanks,

#19 buhbuh

buhbuh

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 10:17 PM

Hi, I think I have CWS.smartsearch.2
I deleted
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
hit F5 and it didn't come back.
I then renamed the key as instructed, hit F5, still nothing.
I started out by running CWShredder v1.59.1 it crashes as it is checking for cws.bootconf (CPU at 100%).
I even booted with a winternals CD, searched the registry and AppInit_DLLs hasn't returned.
I still can't run CWShredder on my PC (Win2K_SP4+all hotfixes through winupdate). CWShredder will run on other PC's I have, so it's not corrupt.
It keeps restarting with random window names.
Could this be a new strain?
If I have to manually search and detroy this (i.e. Winternals boot CD (ERD)) what else should I look for?
Any other software suggestions, other than AVG? :bounce:

Edited by buhbuh, 01 July 2004 - 12:26 PM.


#20 intpp

intpp

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 11:03 PM

acomputerpro,

I'm interested in knowing how a detected trojan or bad file can be detected but not be found, even when the "show hidden files" option is on, as I have noticed the same thing.

#21 Cecil

Cecil

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 09:58 PM

Hi,
It took me 5 days but I finally got rid of "about:blank" and it has not come back. It was a multi step process, no single thing seemed to work. On a Win2k SP4 machine,
remove Micro soft java and use Sun's, I also noticed that Widnows Media player was acting up so reinstalled it. Next I used CWShredder and Hijackthis. This allowed me to download Ad-aware which removed more of the trojan. I tried to use the "Ultimate Trouble Shooter" but it would not run due to the trojan. I finally found this forum and removed both the "KEY" mentioned above and then went into the Recovery Consol where I changed attributes of the file, sqll.dll [may be different on yours] and then deleated it.

"Ultimate Trouble Shooter" now loads, AVG 6.0 free does not show a virus, and I can search for car, computer, and sex in both Google and the address line without being hijacked.

Thanks to all the great people on the web.
Cecil

#22 aktee67

aktee67

    Member

  • New Member
  • Pip
  • 1 posts

Posted 04 July 2004 - 11:54 PM

Hello everyone. My uncle used the computer and, he somehow installed a CWS variant. I had the SearchX variant, and it kept coming back, even with the latest version of CWShredder. I keep on pressing "fix" and it keep on coming back!! At first, I thought it was my uncle that didn't listen to me and still went to these porn site with those banners and sh!ts. anyway, so i left the computer and told everyone to "not touch it" after i "cleaned" it with HijackThis. yet, it kept coming back. but, lately, I found a way, and for 5 hours now, it worked, (means, no CWS sh!ts coming back).

By the way I'm using XP sp1.
I pressed CTRL ALT DEL, and observed unknown processes, and I found one on the user name "System", which was something like SCAGENT.EXE in System32 dir. Each time I pressed "end process" it just kept appearing back, so, I thought this was the thing that loads the CWS.

so, I restarted as Safe Mode. First thing I did in safe mode, is checking the SCAGENT.EXE as process. wasn't there. =D, so I went thru c:\windows\system32 and deleted the file. next, I ran HijackThis. I saw the log and all y r0 r1 r2 r3 were redirected to a SP.html file in a temp folder. I went there, deleted it. then fixed the registry key with HiJackThis.
I tried opening my IE, and it wasnt there. =)

but I thought "damn, this is it? seems to easy". so I opened MSCONFIG, checked non-microsoft services, none. I checked startup items, and saw a file named "䂜䂜䂜䂜䂜䂜". Heck, i didnt know wtf that was, but I unchecked it anyway and deleted it from HKCU software microsoft windows currentversion run.
and last, I scanned with the latest version of Ad-Aware. found 1 CWS thing, i cleaned it. and... restarted as Normal Mode

First Thing I did, was running CWShredder.... No sign of SearchX. =|. Opened Internet Explorer.... No sign of hijacked thing. Opened HijackThis, made a log. and damn! nothing! =). It is now 00:53, it been actually 5h25 minutes and no sign of SearchX. =)

If it works for someone else, please email me at [Email address removed. Not a good idea to show it in a public forum. People can send you email by clicking your E-Mail button, below. - cnm]. Im very curious. thanks

Edited by cnm, 05 July 2004 - 09:53 AM.


#23 juel

juel

    Member

  • New Member
  • Pip
  • 1 posts

Posted 06 July 2004 - 03:24 AM

Hi, think I got rid of this fuck, cause my pc is clean now for 6days :)
( by the way, my system is xp prof. )

I first ran CWShredder and AD-aware, then Norton Anti-Virus and removed everthing that was found.
(Don't start IE between this time)
After that I completely removed the Internet Explorer:
SystemControl-->Software-->Windows Components-->uncheck IE
and deleted the Files in: C:\Program Files\Internet Explorer
( make a backup of iexplore.exe, u'll need it later ;) )
( Connection Wizard folder can't be deleted but doesn't matter )
Then I downloaded the lastest 6.0 SP1 IE from
http://www.microsoft...p1/default.mspx
and installed Windows-KB870669 from
http://www.microsoft...&DisplayLang=en
Now copy your backup iexplore.exe to your Internet Explorer directory, and I hope you're also free from this shit.

P.S. If ie-setup doesn't let u install ie, cause a newer version 'is' installed on the system just edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Version from eg 6,0,2800,1106 to 0,0,2800,1106

Edited by juel, 06 July 2004 - 07:07 AM.


#24 dvaut

dvaut

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 07:44 PM

I am pleased to say that I followed your instructions (more or less) and I think I’m finally rid of my blank-e-de-blank hijacker. I have a number of spy programs: spysweeper, spybot, and xoftspy. Of these spysweeper seems the best. I also became intimately familiar with reglite and hijackthis.

It is my sincere hope that in a few months spysweeper will catch up and develop a d :D efinition for the CWS blank thing. In the mean time those resourceful Russian and Romanian programmers will devise bigger and better hijackers.

#25 dvaut

dvaut

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 07:54 PM

Here’s the real secret. There is something that will not let you delete AppInit_DLLs under the windows directory.

Start regedit:

Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Rename windows to windows2

Delete the fucking AppInit_DLLs (and it will stay deleted)

Rename windows2 back to windows

You problems are over dude.

Clean up with the usual spyware.

#26 jorchid

jorchid

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 04:36 PM

Message to acomputerpro: Yeehah! Your method back in post 1 did it! You are worth your weight in gold.

#27 1991FZR600

1991FZR600

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 July 2004 - 03:07 AM

I have all the symptoms of CWS, but don't have the AppInit_DLLs file to delete manually. CWShredder didn't work more then 1 day for me. Any ideas?
Thanx.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

#28 SL83

SL83

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 01:31 AM

acomputerpro,

I'm interested in knowing how a detected trojan or bad file can be detected but not be found, even when the "show hidden files" option is on, as I have noticed the same thing.

Go to start then run

type in Command

then migrate to the directory where one of the files is

example: C:\windows\system32\d3nd32.exe

It is hidden, even with show all files

type in

attrib -s -h d3nd32.exe

This removes the system and hidden attributes. You can now delete it from explorer or the command prompt.

#29 silencedogood

silencedogood

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 July 2004 - 02:21 AM

I'm showing no symptoms of the CWS.searchx, but I do have in my registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs.

Is there some benign manner by which that key can get into my registry?

#30 yankeegirl

yankeegirl

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 July 2004 - 10:10 PM

:D Hey acomputerpro! You are the best! I fixed my husband's computer using your fix and it worked!!!! We worked on it for days as well and I had tried everything, including reg edits, adware removers, hijack this, etc. It was awful! Now, it's perfect. We've rebooted the machine at least six times since the fix and the troj hasn't returned.

THANK YOU!

jamie in NY

Edited by yankeegirl, 16 July 2004 - 10:11 PM.


#31 smahadev

smahadev

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 July 2004 - 11:26 PM

I think I've removed it from my computer. Here's what I did.

0. AppInit_DLLs: Searching for this key in the registry leads to one with a (seemingly) blank value. In reality, it is not. If you right click on the value, and select 'Modify Binary Data', you will see that a malware DLL is encoded in there, even though it appears blank. In my case, this was D:\windows\system32\hlpp.dll

Curiously enough, I could never find or list this dll, let alone remove it!. However, if I ran the 'pv' tool using runme.bat, I would see this listed in both Explorer and IE dll listings (options 1 and 2)! See the CWS chronicles at merjin.org to find out what your particular dll's name is. Even though the BHO entry may point to a randomly named dll, the pv listing was always hlpp.dll for me!

Now, I tried removing the AppInit_DLLs key. I also tried the rename the Windows folder in the registry to Windows2, deleting it and renaming it back to Windows. Although I didn't see it come back if I hit F5.. If I closed and reopened regedit, dang it there it was again! #@&%*

So, here's what I did.

1. I ran Ad-Aware to remove the randomly named DLL and the registry entries associated with it. Make sure you're running with the latest update just to be safe.

2. I rebooted in Safe Mode by hitting F8 when windows is booting up and selecting the safe mode option.

3. Then I opened regedit, went to the tell-tale AppInit_DLLs key and REMOVED it. This time, when I closed regedit, and reopened it, it did not come back!! Yay!

4. Further, I went to the D:\windows\system32 dir looking for the hlpp.dll, and voila, that was there too! I deleted it, and there was no problem doing that.

5. I ran Lavasoft's Ad-Aware, to remove any other registry entries and randomly named DLLs. There were no DLLs, but a few reg entries that I removed.

At this point, I thought I had eliminated all the culprits. (the source DLL, the AppInit_DLLs entry and all garbage generated inbetween via AdAware). I crossed my fingers and rebooted.

I haven't seen the problem occur again.

6. I also ran HijackThis to remove any bad leftover BHO entries that I did not recognize. I was also using BHODemon to make sure they were all gone.

And they seem to be.

Wish me luck, and hope this helps you in some way.

#32 spark1

spark1

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 July 2004 - 12:56 PM

Hi acomputerpro, you are a GENIUS! The CWS frustrated me for 2 month and I tried all the tools I could find ( a long list: MaAfee, Norton Antivirus, Ad-aware, Sypbot, CWSshredder, Spysweeper, AboutBuster, SpHjfix...) but was unsuccessful. Only your post works for me.

The OS on my computer is windows2000pro

For the part of removing AppInit_DLL, I followed your instruction of renaming the windows folder to windows2, then delete AppInit_DLL, then rename windows2 back to windows. Hit F5, the AppInit_DLL is gone. But after reboot, the AppInit_DLL comes back.

What I did is to delete that culprit file first, the file name is logdpm.dll on my computer which was found by AVG reported as BackDoor.Agent.BA under winnt/system32 folder, the file size is 57,344 bytes.

I went to Windows Recovery Console and found this file. But I cannot delete it there because the assess is denied. Then I change the attribute of the file to make it visiable under Windows Explore. Also changed it name so when reboot the computer under normal mode it won't be loaded in memory.

After reboot and login as the Administrator, I come to this file and claim ownship and get full control of it. Then delete it. Then using Ad-aware to clean up the rest of the things. Only one registry key may need to be manully deleted-that registry key calling up the trojan file when computer is started but because the file was renamed under Recovery Console so the windows can not find it and it will give you a warning.

Now the trojan is gone and I feel so relieved. I couldn't be happier. :rofl: Thank you so much!

Edited by spark1, 18 July 2004 - 01:02 PM.


#33 dvaut

dvaut

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 02:31 PM

Thanks tons and tons. got rid of the nasty thing.

I sent a message to spy sweeper and spybot and requseted that they look into some of these new trojens.

I not run spy sweeper, hijackthis, and cwshredder on a regular basis. I keep reglite at the ready.

I just noticed today that I had picked up some more CWS stuff. spy sweeper zapped it out. my register was not infected, at least not in the usual place. ;)

#34 klombard

klombard

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 18 July 2004 - 09:11 PM

I tried the proceedure in the first post and after running adaware I tried to reboot. At this point the computer made it to the screen where it says "Windows XP Home edition" in the center of the screen with a black backround. From here it just restarted. It would still be doing this but I manually shut it off. After turning it back on it did the same thing. I then did a system restore to earlier in the day. My computer will start now but still the CWS crap! Any other options?

#35 Ricorso

Ricorso

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 July 2004 - 01:12 PM

Thanks, acomputerpro, can't tell you how great it is not to have about:blank popping into my browser several times a day. CoolWebSearch has been haunting me for weeks. CWShredder was the only program I could find that could remove it, but of course it never went away permanently. And none of the spyware, adware, or virus programs would come up with any sort of warnings that something was still there. I followed your instructions for removing AppInit_DLL by renaming the Windows folder in Regedit to Windows2. The only thing I did differently was to run Ad-Aware 6 before renaming the key back to Windows, the rationale being that total fear that renaming it back to Windows would allow that key to return. But it's gone for good. Thanks for your great advice. Judging from the number of posts I've seen re: CoolWebSearch, about:blank, etc., a lot of people are going to be grateful.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button