Jump to content


Photo

Identified - and removed - the hidden startup CWS


  • Please log in to reply
8 replies to this topic

#1 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 24 June 2004 - 09:30 AM

I'm running Win 98, and infected with CWSearchx. 3 weeks now. Have used everything: Shredder, Spybot, Adaware, ZoneAlarm. Cleans but everything comes back. Clearly something is embedded in the system and boots up with it.

So this morning I tried looking for clues in MS System Information. And there in Software Environment > System Hooks I found it: a certain "Windows Procedure" tagged to ctlj.dll in the Windows\System directory. Hmm. I went looking for this dll in Win Explorer, but it didn't show - and I have it set to display all hidden and system files. Hmm again.

Went into MS DOS prompt, navigated to C:\ Windows\System and did a dir ct*.* Sure enough it showed up -- ctlj.dll. I tried to copy the file to a different folder to analyze it, but it wouldn't copy - lock violation.

I exited, and rebooted into DOS command prompt safe mode. This time the file copied over fine. Then I renamed the original to ctlj.wha and booted into Windows Safe Mode.

While booting into safe mode, Windows complained about not finding ctlj.dll (aha!) but when I clicked OK on the dialog it finished booting anyway. I examined ctlj.dll in the test folder, and found it had a date of 6/04/04 time 3:02pm. No version number. Ran Adaware on it (I always make sure Adaware scans every file in \Windows, \Program Files, \My Documents anyway) and it - as well as the renamed version in the system folder - was identified as CWS. Bingo.

I deleted the version in \Windows\System and renamed the one in the test folder. (I'm holding on to it in case it has more clues inside.) Rebooted normally. No complaints from Windows this time. Everything working as it should. No hijack so far.

I think I nailed it.

Ya think?

BobO

:hmmm:

EDIT: I've put together a step-by-step compliation of the above so you can do the same thing on your system (Windows 98).

Here Is A Fix For Windows 98

Best of luck.

BobO

Edited by BobO, 28 June 2004 - 09:08 PM.


#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 June 2004 - 09:36 AM

Nice work! :D

There could be more to it.. See if you're still ok after a day or so.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 24 June 2004 - 09:47 PM

Update: 10:44 pm -- 13 hours with no hijack, no popups, no redirects. Shredder and Adaware show clean system. Hijack This log normal.

I've rebooted twice -- normal bootups. MS Sysinfo System Hooks just shows the mouse driver.

This is the first time in 3 weeks I've gone so long without trouble. Looking good -- keeping my fingers crossed. More tomorrow.

BobO

:whistle:

#4 bman

bman

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 10:18 PM

Thanks for the clue, I will look for it on my contaminated system as well. FYI, check your Scheduler. My has a strange entry called "Tune-up Application Start" that runs twice a month at odd times. I didn't add it. It references a file called "walign". I have also found a slew of executable files in the Windows directory that were created at the same time as some CWS looking .exe files. Will be taking a close look at them as well.

#5 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 24 June 2004 - 10:47 PM

bman --

I don't use the Scheduler at all, but "Tune Up Application Start" doesn't sound familiar. If you don't use it, get rid of it, or at least take it out of service.

But Walign.exe is a valid System file. I did a search for it and it's on my system too. If you have a question about an .exe file, right-click on it and check its Properties. It should show you the publisher and version number of the file. Same for .dll files. If it's copyright Microsoft, then it's probably OK, no matter how wacky the name sounds.

But I would think recently created .exe files are definitely suspect. Check em out for sure.

BobO

#6 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 25 June 2004 - 08:18 AM

Update: 9:00 am -- 24 hours since the hidden CWS startup .dll was removed. No hijacks, no popups, no about:blank, no problems. All scans clean. Four reboots for testing purposes in that time.

Looking good -- and I'm waiting to exhale...

BobO

#7 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 26 June 2004 - 06:49 AM

OK, 2 days later and I think we can safely say it's gone. Wheeeeeew...

:D

#8 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 27 June 2004 - 10:39 AM

Three days clean. Others have reported success with this method too.

If you want a step-by-step version of how to use this method click here.

BobO

#9 azbmr

azbmr

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 October 2004 - 04:58 PM

Thanks for the clue, I will look for it on my contaminated system as well.  FYI, check your Scheduler.  My has a strange entry called "Tune-up Application Start" that runs twice a month at odd times.  I didn't add it.  It references a file called "walign".  I have also found a slew of executable files in the Windows directory that were created at the same time as some CWS looking .exe files.  Will be taking a close look at them as well.

View Post


Walign is ok (unless it has been infected by a virus, but I've never heard of that).
It is a standard win98 program, and here is a link to its offical description:
http://support.micro...om/?kbid=191655

Just FYI.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button