Succesful Removal of CWS.SearchX
Posted 26 June 2004 - 11:21 AM
I was successful - Here is my info:
Eradication of CoolWebSearch "CWS" variants infecting computer due to
the following conditions present at the time of infection:
“This is a growing family of Trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
The variants of this Trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.”
JAVA VM was removed, SP1 was left intact and Sun Java was installed per the information below:
If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Remove the MS Java VM completely and replace it with the newer, safer Sun Java VM.
As a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their MalWare. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.
Complications in removing CWS.SearchX described below by Kephyr.com:
Searchx BHO is implemented as a browser helper object and redirects your Internet Explorer browser to search.cc. If you make a search at searchx.cc, the results will be displayed at cx.linklist.cc. Searchx BHO uses random file names and class ids.
The following posted information worked for removing CWS.SearchX on some infected computers, but I needed to also do the step in the final paragraph:
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."
On this computer, there was in infected .dll file in the Windows\System32 directory called wdmdpi.dll which was detected by Grisoft AVG (Installed) and not Norton or McAfee. AVG reported the infection as BackDoor.Agent.BA. A review of this directory in Windows showed no such file exists. Numerous posts in various online message boards criticized Grisoft AVG for reporting false information. The complete opposite is true. The file did exist and was the Trojan itself. It was discovered by using the Microsoft Windows Recovery Console, and manually deleted. The operating system was secured and the Trojan was eradicated.
A Computer Professional
Posted 10 July 2004 - 09:34 AM
After following your procedure above, Adaware (161) did not find CWS but that may have been because I may have run CWShredder before I found your post here. My question is, after I reboot, I still found
It wasn't there before I rebooted, but was afterwords. Is this normal?
Edited by cpsnc, 10 July 2004 - 09:35 AM.
Posted 10 July 2004 - 08:07 PM
However, not on the first go.
For some people (like me) it might be necessary to do
(1) the renaming in the registry,
(2) then reboot into Safe Mode (press F8 on startup),
(3) then use, e.g., CWShredder to remove the DLL,
(4) reboot into normal mode again, and finally
(5) change the registry key name back.
Edited by cnm, 28 July 2004 - 11:04 PM.
Posted 11 July 2004 - 08:04 AM
Posted 14 July 2004 - 12:01 PM
Checking email this AM, there were two of those "question for seller" emails with questions on shipping charges for an item that doesn't exist on ebay "please add $ for shipping to xxx. How much is shipping to XX?"
Simply passing through these emails (no click on a object, or attachment) opened the "about.blank" browser that has always been associated with CWS since the hijacking of my browser. I'm not sure if these emails had anything to do with the return of CWS, of if the re-infection had taken place earlier, and whatever site the email wanted to open was also hi-jacked.
I ran CW shredder, since it is the easiest way to see if CWS has returned, and sure enough, CWS.searchx was there. Cleared it and ran AdAware6.0 which found the usual 9 files or registry entries associated with CWS. Cleaned them, then checked the registry to see if the AppInit_DLL was back in the registry. IT IS NOT!
Also checked to see if I had the offending DLL file in the system32 directory, and nothing was found there.
Darn. Thought I had this thing licked, but the battle continues.
Posted 15 July 2004 - 02:54 PM
Posted 28 July 2004 - 08:40 PM
Thanks for the help
Posted 30 July 2004 - 05:28 AM
Hello there. I am not used to this kind of terminology. Could somebody please explain me how to do that ?? How can I rename the folder or first of all how can I find the folder ??
Posted 30 July 2004 - 10:43 AM
I am battling CWS right now and obviously i have come to your forums here.
The registry entry that you specifically mention to delete above "AppInit_DLLs" found at:
shows up on even non CWS infected machines that are completely clean of any spyware what so ever.
What is that entry exactly because it seems to me that it isn't exclusive to CWS?
Posted 05 August 2004 - 07:44 AM
Posted 16 August 2004 - 08:54 PM
and just for the record, I'm fixing someone's computer. It wasn't me looking up dodgy porn sites.
Posted 17 August 2004 - 07:29 AM
Posted 12 September 2004 - 09:18 AM
I have been struggling with this problem for quite some time.
And am not very computer skilled. But I think this is the fix I need.
Is there anyone who could post instructions as to how to delete that Registry Entry. I guess I need a program called REGEDIT? Is that right?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users