Jump to content


Photo

HOW I REMOVED Startpage.fh, sp.html, CWS.SearchX!!


  • Please log in to reply
8 replies to this topic

#1 toxsik

toxsik

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 10 July 2004 - 08:52 PM

Hello. My name is toxsik and I just spent the past few hours trying to remove CWS.SearchX trojan aka Troj_StartPage.sp,

Trojan_StartPage.FH, About:blank, BackDoor.Agent.BA, and Sp.html from my Windows XP pro system. For an example of this

trojan and what it looks like if you have it please refer to the following page as they have screen shots of the pop-ups and sp.html

page.

http://www.pandasoft...eteccion=105595
Also there's a pop-up that looks like little green bugs, getting busy! =) but that's not posted prob. cuz they think it would be to

vulgar.

Now I had a lot of trouble w/ this one and I was very paranoid in the final removal of the trojan cuz I tried everything and it kept

coming back! This is because this trojan is a 2 stage infection.

1) Puts a dll in the system32 folder in windows. then kills some windows programs like notepad. I know this cuz i got this message

before i realized what it was ('NOTEPAD.EXE' is not a valid Win32 application') when I clicked on my notepad shortcut in my start

menu. So I right-clicked properites on the shortcut and it was a Notepad.exe file in system32 that when on the short cut caused a

dos lookin icon you know looks like a blue windows title bar and white blank body. Hopefully I explained it well enough anyway so

I just inorged this and chaged it back to the windows Notepad.exe in the windows dir! NOT IN SYSTEM32 DIR! For more info on

the window files the CoolWebSearch.trojan replaces for its own purposes go here:

http://www.spywarein...n/winfiles.html
this is also the place to get CWShredder under the download link in the menu, which we will need at the end of this cuz we so

paranoid. P.S. you should read up on as much stuff here to get a good understanding of the CWS trojan and what this poor soul

has to put up w/ from the CWS developers! CWS BASTARDS! hope they all die!

2) So I tried everything running Norton AV 2004, Ad-aware, Spybot S&D, CWShredder, Hijack This and etc. These programs

would catch the second dll file which is a random name mine was (nbj.dll) in the system32 folder. Ad-aware, would find these

sp.html entries in my Documents and Settings\<username>\local settings\temp and temporary internet folders. But, because it is only

the second dll after a very short disinfection sp.html comes back sets your browser back to about:blank and replaces the second dll

w/ a new renamed dll.

3) I finally got this program Spy Sweeper 3.0 from www.webroot.com good program cuz i found both the second.dll and the

sp.html's and the changes to the registry to set the hompage to sp.html and all that!

Okay so the fix:

Need these programs:
Registar Lite ------------> http://www.resplendence.com/main
CWShedder & Hijack This -------> http://www.spywareinfo.com/~merijn/
WINFILE ------------> http://www10.brinkst...last/pvtool.htm

Now we are going to get rid of the hidden DLL that is causing all the problems.
In Registar Lite:
=====================================
First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of reglite)

Click "AppInit_DLLs" again and clear the data value:

mine was:C:\WINDOWS\System32\d3d.dll < -- delete this line ,
'Apply' and 'ok' to set. (I understand in this case this looks like DirectX even has all the DirectX info in the properites but after i

deleted it i and ran dxdiag Direct X worked fine. This may be becuz this is an old dll that directX use to use as its files?)

Rename the NotWindows folder back to its original name Windows
========================================
Restart your computer.

After restart, try to locate the winm.dll in System32 folder but Don't attempt to delete it yet.

Go to your root drive: C:\ And create new folder.
Name it: "junk"
===============================

Run the 'Winfile' you previously downloaded an unzipped.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File --> Select files
Copy and paste to the box: and put the name of the dll you found in the AppInit_DLLs key, i.e. mine (d3d.dll)

Find and hi-lite that file.
Next in top menu select >Security>permissions
change it if you have to to full access

Then: Menu -File --> move...
In From: Copy/paste:
C:\WINDOWS\System32\(d3d).dll

In To: Copy and paste:
C:\junk\(d3d).dll

Then hit ok.

Close Winfile and check in C:\junk for that file. (not deleting the file is to ensure if you are wrong and maybe different virus on not

CWS nothing is broken you can put it back)

Restart in Safe Mode

Run Ad-Aware, Spy Sweeper, CWShedder etc.

In CWShedder look for a BHO entry that points to no-file ****.dll, del entry

del any brower hijack entry's you may have.

then search all files for notepad notice the .chm and .hlp files these are legit, don't del these all other one's except your start menu

shortcut's delete! then take the notepad.exe file u should have downloaded of of the CWShredder winfiles section back in:

windows\notepad.exe cuz thats where it belongs not in System32 folder any entry's you may have found in SYS32 del. also i noticed

notepad.exe.bak's that i did not create del them too. Now for me i noticed a werid shortcut named notepad w/ a blue dos type icon

in C:\windows\system32\config\systemprofile\Start Menu\Programs\Accessories checking the properties on this shortcut showed it

pointing to C:\windows\system32\actmovie.exe now i know this file is familiar to cuz i remember it from win98 i'm not sure if it

comes w/ winxp? i dunno but i went to the directory in normal mode and cut it to c:\junk folder we made and when back to check if it

was still in sys32 and it was so i deleted it then went into i a different dir and back to sys32 and BOOM back so i figured mine is part

of this too so back to safe mode and del it for good!

after all this run ad-aware, spy sweeper (my favorite), cwshedder and check your hijack this log one more time just to be sure and

there you go. fixed at least on mine i've been running 24 hr's no more BS!

JUST for Protection search the web on how to un-install Microsoft Java VM cuz they don't support it any more go to:

http://www.java.com/en/index.jsp to get good updated SUN java 2.0 cuz i saw in other forums that this could be how CWS got on

my computer through secrity flaw in Microsoft Java VM!

okay tell me how everyone does off and have a nice day! :)

#2 te1221

te1221

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 11:02 PM

This really worked for me thanks! I have never been able to get it off any of the machines I tried the other solutions on.

The only thing I didnt understand was how to recover the old notepad program because I got a little confused from your wording. How is that done?

#3 kerry

kerry

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 11:52 PM

The freeatlast (FindNFix) software you mention is not on the internet anymore.

Could someone (anyone) email it to me (kerry@isodesigns.com) or make it available for download on the internet again??

It seems if you have ANY chance of getting this junk off your pc, you mush have this software.

Can anyone provide it??

#4 toxsik

toxsik

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 10:51 AM

Okay kerry I didn't mention any FindNFix Software but you can get The WinFile software here I posted it on my website.: http://187extreme.cjb.net
ANd select the link for: "Download WINFILE and all versions of Notepad!"
That should do it!

Edited by toxsik, 16 July 2004 - 12:08 PM.


#5 toxsik

toxsik

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 11:03 AM

Just updated I know some people have been having problems getting the notepad file for there system at: http://www.spywarein...n/winfiles.html
So just in case I've download and uploaded all versions of notepad to my webpage: http://187extreme.cjb.net
ANd select the link for: "Download WINFILE and all versions of Notepad!"
That should help everyone with getting that notepad!

Edited by toxsik, 16 July 2004 - 12:10 PM.


#6 toxsik

toxsik

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 11:06 AM

Hope this helps everyone!!! L8r and Enjoy!

Edited by toxsik, 16 July 2004 - 11:09 AM.


#7 oshmir

oshmir

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 16 July 2004 - 12:03 PM

Click "AppInit_DLLs" again and clear the data value:

I don't understand what you mean by this. I've done everything so far that you said, but I'm just confused because you never said to click AppInit_DLLs in the first place. You did say to go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs which I did, but I'm not seeing where you're supposed to "click AppInit_DLLs" again.

#8 toxsik

toxsik

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 12:13 PM

oshmir you wanna open the AppInit_DLLs key, (need to you that Registar Lite i told you to get to do this) don't delete the key just clear the data thats in the data field.

#9 oshmir

oshmir

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 16 July 2004 - 03:48 PM

I don't have the AppInit_DLLs key. I just noticed that when I type in that HKEY address that it just goes to the Windows key and in the address bar the "\\AppInit_DLLs" part disappears, which to me is saying that it doesn't exist. I looked in the left pane to see if there are any subfolders under windows, and there are not.

And I just noticed that you said you used this on xp pro :ugh: . I have home edition, so it's probably going to be different.

Crap, so this means I won't be able to fix it using your method




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button