Three days ago I used this fix to clean my machine of CWSearchx. I posted my experiences here. Since then a number of people have reported that these steps worked for them too, and so I’m posting a step-by-step how-to for everyone to take a look at. I don’t have a WinXP machine, so I don’t know if it will work in XP. But it does work in Win 98.
This technique uses a scalpel, not a machete. No essential system files will be accidentally deleted. The task is to find the hidden file that regenerates the CWS infection after CWS Shredder, Adaware, Spybot, and Hijack This have removed the visible symptoms.
1. Make sure that Windows Explorer is set to display all hidden and system files: go to Tools>Folder Options>View and click the button for Show All Files.
2. Run Adaware. Make sure you instruct it to scan your \Windows, \Program Files, and \My Documents folders. Then run Shredder. Remove every suspicious thing they find.
3. Next take your computer offline – unplug your modem, whatever. No Web connection.
4. Run the Windows utility "System Information." It’s on your Start Menu under System Tools, or just click Start>Run and on the command line type msinfo32.
5. Expand the Software Environment section, and select System Hooks.
6. If you are infected with CWSearchx, you will see a suspicious file there. Hook type “Windows Procedure.” File name will be a nonsense string of characters, ending in .dll. The dll Path will be \Windows\System. WRITE THE NAME OF THIS FILE DOWN.
7. Close MS Info. Open Windows Explorer, go to \Windows\System and look for this file. IF YOU CAN SEE IT, IT’S THE WRONG FILE. But if you can’t see it, this is the one.
8. Shut down, and reboot into Command Prompt Safe Mode. On the C:\ command line, type cd\Windows\System.
9. Once inside \Windows\System, type dir, a space, and the name of the file you wrote down. (like this: dir ghyth.dll). When the file shows up, take a look at its size. It will probably be 57,344 bytes.
10. Type ren, a space, and the name of the file you wrote down, and then a new name for the file. (like this: ren ghyth.dll ghyth.bob). Make sure you change the extension of the file from .dll to something else. Do not delete the file.
11. Restart your computer in Windows Safe Mode. Windows may complain that it can’t find the .dll, but click OK and keep going.
12. Once in Safe Mode, run Adaware again. This time it will find the renamed file in your System folder and will identify it as CWS. If it does, have Adaware delete it.
13. Run Shredder, Spybot, and Hijack This for good measure. Clean house.
14. Reconnect your Internet connection and restart Windows normally. Reset your IE home page to whatever you want. You’re done.
I would also recommend you get a good firewall and set your browser for High Security.
Good luck! If it works for you, post a reply to this message to keep it bumped.
Edited by BobO, 28 June 2004 - 06:27 AM.