Jump to content


Photo

Succesful Removal of CWS.SearchX


  • Please log in to reply
14 replies to this topic

#1 acomputerpro

acomputerpro

    Computer Talk Show Host from KVTA.COM

  • Full Member
  • Pip
  • 15 posts

Posted 26 June 2004 - 11:21 AM

Hello. I am A Computer Professional and host of A Computer Show on KVTA Radio in Ventura CA. I just spent the past 48 hours trying to remove CWS.SearchX aka Troj_StartPage.sp and BackDoor.Agent.BA

I was successful - Here is my info:

6/24/04-6/26/04

Eradication of CoolWebSearch "CWS" variants infecting computer due to
the following conditions present at the time of infection:


“This is a growing family of Trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

The variants of this Trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.”

JAVA VM was removed, SP1 was left intact and Sun Java was installed per the information below:

If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Remove the MS Java VM completely and replace it with the newer, safer Sun Java VM.

As a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their MalWare. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.

Complications in removing CWS.SearchX described below by Kephyr.com:

Overview
Searchx BHO is implemented as a browser helper object and redirects your Internet Explorer browser to search.cc. If you make a search at searchx.cc, the results will be displayed at cx.linklist.cc. Searchx BHO uses random file names and class ids.

Files
[random].exe

Uninstall procedure
Unknown

The following posted information worked for removing CWS.SearchX on some infected computers, but I needed to also do the step in the final paragraph:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

On this computer, there was in infected .dll file in the Windows\System32 directory called wdmdpi.dll which was detected by Grisoft AVG (Installed) and not Norton or McAfee. AVG reported the infection as BackDoor.Agent.BA. A review of this directory in Windows showed no such file exists. Numerous posts in various online message boards criticized Grisoft AVG for reporting false information. The complete opposite is true. The file did exist and was the Trojan itself. It was discovered by using the Microsoft Windows Recovery Console, and manually deleted. The operating system was secured and the Trojan was eradicated.


A Computer Professional
www.acomputerpro.com

#2 cpsnc

cpsnc

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 09:34 AM

Great addition; thanks much. I have a question, however....

After following your procedure above, Adaware (161) did not find CWS but that may have been because I may have run CWShredder before I found your post here. My question is, after I reboot, I still found

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL

It wasn't there before I rebooted, but was afterwords. Is this normal?

cps

Edited by cpsnc, 10 July 2004 - 09:35 AM.


#3 Chris123

Chris123

    Member

  • New Member
  • Pip
  • 1 posts

Posted 10 July 2004 - 08:07 PM

Okay. Thanx to you I could finally remove this ***er. :p
However, not on the first go.

For some people (like me) it might be necessary to do

(1) the renaming in the registry,
(2) then reboot into Safe Mode (press F8 on startup),
(3) then use, e.g., CWShredder to remove the DLL,
(4) reboot into normal mode again, and finally
(5) change the registry key name back.

Chris

Edited by cnm, 28 July 2004 - 11:04 PM.


#4 cpsnc

cpsnc

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 08:04 AM

Chris, did the following key remain gone when you were finished?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL

#5 dsoelter

dsoelter

    Member

  • New Member
  • Pip
  • 1 posts

Posted 14 July 2004 - 12:01 PM

I thought that this had finally removed CWS from my machine. Removed Appinit_DLL yesterday afternoon, and for the entire evening, browser remained mine!!

Checking email this AM, there were two of those "question for seller" emails with questions on shipping charges for an item that doesn't exist on ebay "please add $ for shipping to xxx. How much is shipping to XX?"

Simply passing through these emails (no click on a object, or attachment) opened the "about.blank" browser that has always been associated with CWS since the hijacking of my browser. I'm not sure if these emails had anything to do with the return of CWS, of if the re-infection had taken place earlier, and whatever site the email wanted to open was also hi-jacked.
I ran CW shredder, since it is the easiest way to see if CWS has returned, and sure enough, CWS.searchx was there. Cleared it and ran AdAware6.0 which found the usual 9 files or registry entries associated with CWS. Cleaned them, then checked the registry to see if the AppInit_DLL was back in the registry. IT IS NOT!

Also checked to see if I had the offending DLL file in the system32 directory, and nothing was found there.

Darn. Thought I had this thing licked, but the battle continues.

#6 kingredladsdad

kingredladsdad

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 02:54 PM

yer a bloody genius -- I have been trying for months and that simple solution solved it all. Thanks :bounce:

#7 toogood1

toogood1

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 28 July 2004 - 08:40 PM

acomputerpro Thanks too you I finnaly got rid of this stupid and annoying hijack

Thanks for the help

toogood1

#8 Levent Kazanci

Levent Kazanci

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 July 2004 - 05:28 AM

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

Hello there. I am not used to this kind of terminology. Could somebody please explain me how to do that ?? How can I rename the folder or first of all how can I find the folder ??

#9 frisky_rabbit

frisky_rabbit

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 July 2004 - 10:43 AM

I am new to this and i'm not familar with the registry so excuse me if this isn't a good question but....

I am battling CWS right now and obviously i have come to your forums here.

The registry entry that you specifically mention to delete above "AppInit_DLLs" found at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
shows up on even non CWS infected machines that are completely clean of any spyware what so ever.

What is that entry exactly because it seems to me that it isn't exclusive to CWS?

#10 solihull63

solihull63

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 August 2004 - 11:37 AM

Thank you acomputerpro. Problem sorted in 5 minutes. :rofl:

#11 Punit Khemani

Punit Khemani

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 August 2004 - 12:15 PM

ok

#12 krelmatrix

krelmatrix

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 August 2004 - 07:44 AM

Much thanks for posting this - I've been annoyed with this hijack for over a month and this appears to have completely solved it.
:)

#13 Xmas

Xmas

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 August 2004 - 08:54 PM

What about in Windows ME?

and just for the record, I'm fixing someone's computer. It wasn't me looking up dodgy porn sites.

#14 scrambler

scrambler

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 August 2004 - 07:29 AM

You're a saint! :whome: So simple, so quick, this stuff should be up at the top of the forum. :hyper:

#15 gaijinJapan

gaijinJapan

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 12 September 2004 - 09:18 AM

Hello,
I have been struggling with this problem for quite some time.

And am not very computer skilled. But I think this is the fix I need.

Is there anyone who could post instructions as to how to delete that Registry Entry. I guess I need a program called REGEDIT? Is that right?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button