• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
BCGovtMartyr

CWS.temp\sp.html Hijack Bandaid

6 posts in this topic

**Edited** There is a fix for this variation of CWS thanks to the efforts of some very dedicated people. If this board has helped you, please consider donating to their cause here ---> http://www.spywareinfo.com/support.php.

The helpers may be volunteers but someone is paying out of their pocket to help those in need and keeping this excellent site up to do so.

The original post is left intact for informational purposes only!! Please do not follow the suggestions listed since there is a cure that works and works well. :D

 

Hello fellow victims. One of my computers has been effected with this CWS hijacker which I am affectionately dubbing CWS.temp\sp.html. I have to admire the way this hijacker works and it has made my life a living hell for the last week or so. I have scoured the net for a solution to no avail.

Let me tell you the symtoms I experienced and then the bandaid cure, which appears to be working, I used to aleviate the symptoms. NOTE: this is not a cure by any means and people are working very hard on rectifying that as we speak. Ok enough intro... now into the meat of it.

 

Symptoms:

Homepage changed to http://s1di.ewizard.cc/index.php?aid=20038

(or something similar). Popups saying your system is infected with spyware. Hijackthis 1.59.0 shows IE homepage and IE Search pages changed to C:Docu..\name..\local..\temp\sp.html (seems common in this strain). It does no good to list the .dll file because it changes from system to system and seems to be random but there is a .dll file that gets written to your system that will be listed in the Hijackthis log. CWS.temp\sp.html will periodically clear your icon tray (near your clock) when it comes back in full force. If you find other symptoms that I"ve missed please post them so others can determine if this bandaid will work for them.

 

Tools:

Hijackthis v. 1.97.7 (this is the latest version as of this writing)

Spybot Search & Destroy with latest update

CWShredder v. 1.59.0 (this is the latest version as of this writing)

Adaware 6 (free version with latest update)

And alot of patience! <--most important

 

Directions:

Download all the tools except the patience ::wink:: and install them. Run update on Spybot. Once that is done reboot your system into "safe mode". If you don't know how to boot into safe mode look for one of PGPhantom's posts it's listed there. To repeat that here would be redundent. Find jscript.dll and jsproxy.dll and added "rename-" in the front (ie: rename-jscript.dll) in the C:\Windows\system32 folder. Do the same for the folder (not the contents but the folder itself) Java in C:\Windows. This will not hurt your system in the least and when it's figured out how to fix this you can just remove the "rename-" part. Your disabling Microsoft Virtual Java Machine. If you have installed Suns Virtual Java Machine uninstall that now. You can always reinstall it when a cure is found.

Run CWShredder newest version 1.59.0 and even if it says none found scroll back up and double check. (I find that it removed CWS.Searchx even tho' it says none found)

Spybot, make sure it's updated as stated above. Activate teatimer.exe (great little tool). To activate teatimer.exe if it's not running in Spybot S&D click "mode" and choose "advanced" ->"Tools" ->"Resident". Also click IETweeks: "Lock Hosts file read-only as protection against hijackers". Click Spybot-S&D click "Immunize" and make sure you have the Browser helper running. <--this stuff is for when you boot back to normal mode. Click "check for problems" and fix only what spybot has checked. (it will find tons of stuff because you are in safe mode but you don't want to delete most of it). AGAIN: ONLY FIX WHAT SPYBOT HAS CHECKED!!! <---very very important! Run Adaware 6 with latest update (seems like a new update every couple days) and repair any problems it finds.

Run Hijackthis and check your log. It should be clear but you will want to watch for unusual things like: O2 - BHO: (no name) - {12226606-AF09-4DA0-A561-D4386C49EB61} - C:\WINDOWS\System32\momo.dll <-- dll name will be differant. You will however want this BHO running: O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll <--this is part of Spybot. Note: if in doubt DON'T DELETE it.. post your log and let someone look at it and advise you!

Ok now all the R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\...\LOCALS~1\Temp\sp.html's should be gone. If not check them off and click "FIX". POOF they are gone!

Reboot into normal mode and the symptoms should have subsided. The hijacker is NOT CURED!!!! People are still waiting on a cure. With that said you will want to watch your Hijackthis logs every now and again to make sure. Especially if symptoms return. I will post my Hijackthis log, this is after 24 hours with no symptoms. The only way I can even get the ewizard page to show up is when I run a CGI script on my server. Normally I wouldn't waste my time and would just format my drive, reinstall software and be done with it. But this hijacker is nasty and maybe by leaving it on my system I can help find a solution by watching it carefully.

Now bear in mind that you are NOT running Java at this point and websites who use Java will tell you that you need Java by a popup asking to download Microsoft Virtual Java Machine, click cancel (that's what I do anyway). Some elements on websites will not work because of the lack of Java but it's a small price to pay to keep this hijacker under control.

 

Best of Luck to all of you suffering from this vicious attack and I hope my bandaid helps most of you. I have gone through my system and deleted a bunch of files in my system folder before applying the bandaid but they always seemed to come back. Now they don't even come back (as far as I know). I DO NOT advise manually deleting files unless you really know what your doing. <--- You've been warned! Aside from that if you follow the directions above you will not harm your system. As stated before, if your in doubt STOP!!! run hijackthis... post your log and let an expert help you! Please be patient!! These guys are getting slammed with ppl with the same problem as you so kill some time and read the posts in this fine message board.

My Log:

Logfile of HijackThis v1.97.7

Scan saved at 1:21:22 PM, on 6/18/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Mail Enable\BIN\MELSC.EXE

C:\Program Files\Mail Enable\BIN\MEMTA.EXE

C:\Program Files\Mail Enable\BIN\MEPOC.EXE

C:\Program Files\Mail Enable\BIN\MEPOPS.EXE

C:\Program Files\Mail Enable\BIN\MESMTPC.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe

C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Quik Touch\EzdMontr.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\PROGRA~1\NavNT\vptray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\Tablet.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\inetsrv\DavCData.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HighCriteria\TotalRecorder\TotalRecorder.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Robert\My Documents\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [EzdMontr] C:\Program Files\Quik Touch\EzdMontr.exe install

O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O9 - Extra button: Real.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{4029D74F-DF3A-41E9-AD2A-B9664097B249}: NameServer = 192.168.1.1

 

 

Everything in my log I have verified that should be running. This is after 24 hrs without symptoms so the bandaid is working for me.

Edited by BCGovtMartyr

Share this post


Link to post
Share on other sites

I think I cured it. Cleared my prefetch, temp internet and temp files and everything runs as normal and no signs in any of the scanners. Installed Java and tried to provoke the hijacker to surface and no signs of it.

The only thing I did NOT listed in the bandaid was I deleted a file that I really needed ::doh:: and did a repair on the OS. Went through like I was doing a full install and when the OS found my Windows it asked if I wanted to repair.. I said yes. Took about 1/2 hr. Didn't lose any of my programs or drivers and everything works great. Guess we'll have to see. I will post back later good or bad. Keep your fingers crossed.. looks like there is hope after all for this strain.

Share this post


Link to post
Share on other sites

BAD NEWS.. it's not cured. I turned off Spybot, Adaware etc just to check and left it for a few hours and poof it was back. Adaware has a new update that finds sp.html and deletes it tho' and recognizes it as CWS. Spybot also has a new update as of this posting.

Something else that may help those plagued with this strain... in my host file (located in C:\Windows\Drivers\etc directory) I added 127.0.0.1 http://s1di.ewizard.cc

which everytime the hijacker tried to direct me to their site my pc pointed to itself. I'll be damn'd if their going to be making $$ off everytime I hit their site because of their hijacking my computer!!!!

Remember most of these morons who are hijacking your computer and having you redirected and making money off you, so if you can't cure it right away make sure their not making money!!! Edit your host file!!!!

Share this post


Link to post
Share on other sites

Hi,

 

Try to find the file iafacob.dll in your windows\system directory and delete It. It worked for me.

 

 

Good luck

Share this post


Link to post
Share on other sites

There is a fix that appears to be working - DO not guess at it... You may do more damage than good.

Share this post


Link to post
Share on other sites

Tried dmforst's remedy. Logically the theory is sound and seems to be working. PGPhantom is correct, do not guess unless you are prepared and capable to fix what you break.

 

PGPhantom,

PE Explorer can't even open the dll file so it can be inspected and reverse engineered. If you want the file let me know, I'll hang onto it for a little while.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0