Jump to content


Photo

CWS.temp\sp.html Hijack Bandaid


  • Please log in to reply
5 replies to this topic

#1 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 02:03 PM

**Edited** There is a fix for this variation of CWS thanks to the efforts of some very dedicated people. If this board has helped you, please consider donating to their cause here ---> http://www.spywareinfo.com/support.php.
The helpers may be volunteers but someone is paying out of their pocket to help those in need and keeping this excellent site up to do so.
The original post is left intact for informational purposes only!! Please do not follow the suggestions listed since there is a cure that works and works well. :D

Hello fellow victims. One of my computers has been effected with this CWS hijacker which I am affectionately dubbing CWS.temp\sp.html. I have to admire the way this hijacker works and it has made my life a living hell for the last week or so. I have scoured the net for a solution to no avail.
Let me tell you the symtoms I experienced and then the bandaid cure, which appears to be working, I used to aleviate the symptoms. NOTE: this is not a cure by any means and people are working very hard on rectifying that as we speak. Ok enough intro... now into the meat of it.

Symptoms:
Homepage changed to http://s1di.ewizard....x.php?aid=20038
(or something similar). Popups saying your system is infected with spyware. Hijackthis 1.59.0 shows IE homepage and IE Search pages changed to C:Docu..\name..\local..\temp\sp.html (seems common in this strain). It does no good to list the .dll file because it changes from system to system and seems to be random but there is a .dll file that gets written to your system that will be listed in the Hijackthis log. CWS.temp\sp.html will periodically clear your icon tray (near your clock) when it comes back in full force. If you find other symptoms that I"ve missed please post them so others can determine if this bandaid will work for them.

Tools:
Hijackthis v. 1.97.7 (this is the latest version as of this writing)
Spybot Search & Destroy with latest update
CWShredder v. 1.59.0 (this is the latest version as of this writing)
Adaware 6 (free version with latest update)
And alot of patience! <--most important

Directions:
Download all the tools except the patience ::wink:: and install them. Run update on Spybot. Once that is done reboot your system into "safe mode". If you don't know how to boot into safe mode look for one of PGPhantom's posts it's listed there. To repeat that here would be redundent. Find jscript.dll and jsproxy.dll and added "rename-" in the front (ie: rename-jscript.dll) in the C:\Windows\system32 folder. Do the same for the folder (not the contents but the folder itself) Java in C:\Windows. This will not hurt your system in the least and when it's figured out how to fix this you can just remove the "rename-" part. Your disabling Microsoft Virtual Java Machine. If you have installed Suns Virtual Java Machine uninstall that now. You can always reinstall it when a cure is found.
Run CWShredder newest version 1.59.0 and even if it says none found scroll back up and double check. (I find that it removed CWS.Searchx even tho' it says none found)
Spybot, make sure it's updated as stated above. Activate teatimer.exe (great little tool). To activate teatimer.exe if it's not running in Spybot S&D click "mode" and choose "advanced" ->"Tools" ->"Resident". Also click IETweeks: "Lock Hosts file read-only as protection against hijackers". Click Spybot-S&D click "Immunize" and make sure you have the Browser helper running. <--this stuff is for when you boot back to normal mode. Click "check for problems" and fix only what spybot has checked. (it will find tons of stuff because you are in safe mode but you don't want to delete most of it). AGAIN: ONLY FIX WHAT SPYBOT HAS CHECKED!!! <---very very important! Run Adaware 6 with latest update (seems like a new update every couple days) and repair any problems it finds.
Run Hijackthis and check your log. It should be clear but you will want to watch for unusual things like: O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll <-- dll name will be differant. You will however want this BHO running: O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll <--this is part of Spybot. Note: if in doubt DON'T DELETE it.. post your log and let someone look at it and advise you!
Ok now all the R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\...\LOCALS~1\Temp\sp.html's should be gone. If not check them off and click "FIX". POOF they are gone!
Reboot into normal mode and the symptoms should have subsided. The hijacker is NOT CURED!!!! People are still waiting on a cure. With that said you will want to watch your Hijackthis logs every now and again to make sure. Especially if symptoms return. I will post my Hijackthis log, this is after 24 hours with no symptoms. The only way I can even get the ewizard page to show up is when I run a CGI script on my server. Normally I wouldn't waste my time and would just format my drive, reinstall software and be done with it. But this hijacker is nasty and maybe by leaving it on my system I can help find a solution by watching it carefully.
Now bear in mind that you are NOT running Java at this point and websites who use Java will tell you that you need Java by a popup asking to download Microsoft Virtual Java Machine, click cancel (that's what I do anyway). Some elements on websites will not work because of the lack of Java but it's a small price to pay to keep this hijacker under control.

Best of Luck to all of you suffering from this vicious attack and I hope my bandaid helps most of you. I have gone through my system and deleted a bunch of files in my system folder before applying the bandaid but they always seemed to come back. Now they don't even come back (as far as I know). I DO NOT advise manually deleting files unless you really know what your doing. <--- You've been warned! Aside from that if you follow the directions above you will not harm your system. As stated before, if your in doubt STOP!!! run hijackthis... post your log and let an expert help you! Please be patient!! These guys are getting slammed with ppl with the same problem as you so kill some time and read the posts in this fine message board.
My Log:
Logfile of HijackThis v1.97.7
Scan saved at 1:21:22 PM, on 6/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Mail Enable\BIN\MELSC.EXE
C:\Program Files\Mail Enable\BIN\MEMTA.EXE
C:\Program Files\Mail Enable\BIN\MEPOC.EXE
C:\Program Files\Mail Enable\BIN\MEPOPS.EXE
C:\Program Files\Mail Enable\BIN\MESMTPC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Quik Touch\EzdMontr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HighCriteria\TotalRecorder\TotalRecorder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Robert\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EzdMontr] C:\Program Files\Quik Touch\EzdMontr.exe install
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: Real.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4029D74F-DF3A-41E9-AD2A-B9664097B249}: NameServer = 192.168.1.1


Everything in my log I have verified that should be running. This is after 24 hrs without symptoms so the bandaid is working for me.

Edited by BCGovtMartyr, 23 June 2004 - 01:02 PM.

Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#2 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 18 June 2004 - 05:22 PM

I think I cured it. Cleared my prefetch, temp internet and temp files and everything runs as normal and no signs in any of the scanners. Installed Java and tried to provoke the hijacker to surface and no signs of it.
The only thing I did NOT listed in the bandaid was I deleted a file that I really needed ::doh:: and did a repair on the OS. Went through like I was doing a full install and when the OS found my Windows it asked if I wanted to repair.. I said yes. Took about 1/2 hr. Didn't lose any of my programs or drivers and everything works great. Guess we'll have to see. I will post back later good or bad. Keep your fingers crossed.. looks like there is hope after all for this strain.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#3 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 19 June 2004 - 11:41 PM

BAD NEWS.. it's not cured. I turned off Spybot, Adaware etc just to check and left it for a few hours and poof it was back. Adaware has a new update that finds sp.html and deletes it tho' and recognizes it as CWS. Spybot also has a new update as of this posting.
Something else that may help those plagued with this strain... in my host file (located in C:\Windows\Drivers\etc directory) I added 127.0.0.1 http://s1di.ewizard.cc
which everytime the hijacker tried to direct me to their site my pc pointed to itself. I'll be damn'd if their going to be making $$ off everytime I hit their site because of their hijacking my computer!!!!
Remember most of these morons who are hijacking your computer and having you redirected and making money off you, so if you can't cure it right away make sure their not making money!!! Edit your host file!!!!
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#4 PiSToL

PiSToL

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 June 2004 - 01:16 AM

Hi,

Try to find the file iafacob.dll in your windows\system directory and delete It. It worked for me.


Good luck

#5 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 June 2004 - 01:30 AM

There is a fix that appears to be working - DO not guess at it... You may do more damage than good.

#6 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 20 June 2004 - 03:17 PM

Tried dmforst's remedy. Logically the theory is sound and seems to be working. PGPhantom is correct, do not guess unless you are prepared and capable to fix what you break.

PGPhantom,
PE Explorer can't even open the dll file so it can be inspected and reverse engineered. If you want the file let me know, I'll hang onto it for a little while.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button