• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
acomputerpro

Succesful Removal of CWS.SearchX

15 posts in this topic

Hello. I am A Computer Professional and host of A Computer Show on KVTA Radio in Ventura CA. I just spent the past 48 hours trying to remove CWS.SearchX aka Troj_StartPage.sp and BackDoor.Agent.BA

 

I was successful - Here is my info:

 

6/24/04-6/26/04

 

Eradication of CoolWebSearch "CWS" variants infecting computer due to

the following conditions present at the time of infection:

 

“This is a growing family of Trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

 

The variants of this Trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.”

 

JAVA VM was removed, SP1 was left intact and Sun Java was installed per the information below:

 

If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Remove the MS Java VM completely and replace it with the newer, safer Sun Java VM.

 

As a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their MalWare. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.

 

Complications in removing CWS.SearchX described below by Kephyr.com:

 

Overview

Searchx BHO is implemented as a browser helper object and redirects your Internet Explorer browser to search.cc. If you make a search at searchx.cc, the results will be displayed at cx.linklist.cc. Searchx BHO uses random file names and class ids.

 

Files

[random].exe

 

Uninstall procedure

Unknown

 

The following posted information worked for removing CWS.SearchX on some infected computers, but I needed to also do the step in the final paragraph:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.

The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

2. Now delete the AppInit_DLLs key under the Windows2 folder.

3. Hit F5 and notice that AppInit_DLLs doesn't come back.

4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

 

On this computer, there was in infected .dll file in the Windows\System32 directory called wdmdpi.dll which was detected by Grisoft AVG (Installed) and not Norton or McAfee. AVG reported the infection as BackDoor.Agent.BA. A review of this directory in Windows showed no such file exists. Numerous posts in various online message boards criticized Grisoft AVG for reporting false information. The complete opposite is true. The file did exist and was the Trojan itself. It was discovered by using the Microsoft Windows Recovery Console, and manually deleted. The operating system was secured and the Trojan was eradicated.

 

A Computer Professional

www.acomputerpro.com

Share this post


Link to post
Share on other sites

Great addition; thanks much. I have a question, however....

 

After following your procedure above, Adaware (161) did not find CWS but that may have been because I may have run CWShredder before I found your post here. My question is, after I reboot, I still found

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL

 

It wasn't there before I rebooted, but was afterwords. Is this normal?

 

cps

Edited by cpsnc

Share this post


Link to post
Share on other sites

Okay. Thanx to you I could finally remove this ***er. :p

However, not on the first go.

 

For some people (like me) it might be necessary to do

 

(1) the renaming in the registry,

(2) then reboot into Safe Mode (press F8 on startup),

(3) then use, e.g., CWShredder to remove the DLL,

(4) reboot into normal mode again, and finally

(5) change the registry key name back.

 

Chris

Edited by cnm

Share this post


Link to post
Share on other sites

Chris, did the following key remain gone when you were finished?

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL

Share this post


Link to post
Share on other sites

I thought that this had finally removed CWS from my machine. Removed Appinit_DLL yesterday afternoon, and for the entire evening, browser remained mine!!

 

Checking email this AM, there were two of those "question for seller" emails with questions on shipping charges for an item that doesn't exist on ebay "please add $ for shipping to xxx. How much is shipping to XX?"

 

Simply passing through these emails (no click on a object, or attachment) opened the "about.blank" browser that has always been associated with CWS since the hijacking of my browser. I'm not sure if these emails had anything to do with the return of CWS, of if the re-infection had taken place earlier, and whatever site the email wanted to open was also hi-jacked.

I ran CW shredder, since it is the easiest way to see if CWS has returned, and sure enough, CWS.searchx was there. Cleared it and ran AdAware6.0 which found the usual 9 files or registry entries associated with CWS. Cleaned them, then checked the registry to see if the AppInit_DLL was back in the registry. IT IS NOT!

 

Also checked to see if I had the offending DLL file in the system32 directory, and nothing was found there.

 

Darn. Thought I had this thing licked, but the battle continues.

Share this post


Link to post
Share on other sites

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

 

Hello there. I am not used to this kind of terminology. Could somebody please explain me how to do that ?? How can I rename the folder or first of all how can I find the folder ??

Share this post


Link to post
Share on other sites

I am new to this and i'm not familar with the registry so excuse me if this isn't a good question but....

 

I am battling CWS right now and obviously i have come to your forums here.

 

The registry entry that you specifically mention to delete above "AppInit_DLLs" found at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

shows up on even non CWS infected machines that are completely clean of any spyware what so ever.

 

What is that entry exactly because it seems to me that it isn't exclusive to CWS?

Share this post


Link to post
Share on other sites

What about in Windows ME?

 

and just for the record, I'm fixing someone's computer. It wasn't me looking up dodgy porn sites.

Share this post


Link to post
Share on other sites

Hello,

I have been struggling with this problem for quite some time.

 

And am not very computer skilled. But I think this is the fix I need.

 

Is there anyone who could post instructions as to how to delete that Registry Entry. I guess I need a program called REGEDIT? Is that right?

 

Thanks

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0