Jump to content


Photo

For all trying to get rid of CWS.smartsearch.2


  • This topic is locked This topic is locked
6 replies to this topic

#1 JArnoldOK

JArnoldOK

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 09:11 PM

Hello, I am a computer tech from Oklahoma, and I have been researching this virus for some time. Im my past I use to mess with virus creation and actully messing my own system up from effects and how to completely stealth virus's from computers.

I am going to give you the simplist way to remove this virus from re creating itself
on your system.

Grab your windowsXP disk or a system boot disk that will allow you to access c:\
You will want to select restore (WinXP)
and access the windows terminal

this will drop you into C:\windows

type

dir Win*.*

If you have a file listed in there called
Winunins.ini
Winunins.exe
You are definatly being hit by CWS.smartsearch.2 /Hackerdefender
you can type
TYPE WINunins.ini
and it will list whats inside that file
this file will have all files it hides (keywords) like cwshredder, spybot, hijackthis ect ect
It will also list the drv file it creates.

This virus makes a file called Svhost.exe not SCVhost
and completely hides the file from Windows,Adware scanners, Virus scanners and the user, you will not be able to see this file in a normal boot only this boot process I have stated, but It can be in system process.

Simply type:
DEL winunins*.*
and you will be rid of the file closing your programs.

Boot windows normally and run all adware scans and online virus scanners e.g: www.trend.com - housecall

Hope this helps you all out.

#2 JArnoldOK

JArnoldOK

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 09:16 PM

I also forgot to mention,

Most of the time, but not all the time, CWS shredder and Hijackthis will not show this virus or its offspring files in the log files, Expecially if it has mutated.

Booting in safemode WILL NOT HELP YOU
it will continue to load itself and stealth even in safemode.

James

Edited by JArnoldOK, 21 May 2004 - 09:17 PM.


#3 zeke0123

zeke0123

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 09:58 PM

any chance for an win ME fix??

#4 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 10:52 PM

This particular implementation of the root kit can be disabled with windows running by doing the following. You must be logged on as an administrator.

Open a command prompt and type
NET STOP HACKERDEFENDER100

This will make it so you can find the winuninst.ini file, post a copy of that file (open it with notepad) to the support forums and wait for further instructions.

Do a search of your registry for HACKERDEFENDER and delete any keys it is found in, if you are denied access to a key then right click it, choose security>permissions (or just permissions) and highlight "Administrators" then checkmark "full control" in the bottom pane. Click ok and then delete the offending key.

Edited by rand1038, 22 May 2004 - 06:22 PM.


#5 zeke0123

zeke0123

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 11:04 PM

thanks Rand But I got lost somewhere around the first sentence. If you like advise me like im a COMPLETE novice otherwise Ill just get lost. I know just enough to know ive got a problem. Usually I just throw money at it (buy programs). Id love to try and kill this myself (seems the only option) but im afraid I dont have the skill.

#6 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 11:15 PM

Check your other post zeke0123
http://www.spywarein...st=0

#7 zeke0123

zeke0123

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 11:33 PM

Ok

Edited by zeke0123, 21 May 2004 - 11:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button