MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Full removal of CWS.SearchX varient, sp.html!!!
June 07, 2020, 12:00:20 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 07, 2020, 12:00:20 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Full removal of CWS.SearchX varient, sp.html!!!  (Read 2858 times)
toxsik
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 2


Bookmark and Share

View Profile
« on: July 11, 2004, 07:33:26 PM »

Hello. My name is toxsik and I just spent the past few hours trying to remove CWS.SearchX trojan aka Troj_StartPage.sp, Trojan_StartPage.FH, About:blank, BackDoor.Agent.BA, and Sp.html from my Windows XP pro system.  For an example of this trojan and what it looks like if you have it please refer to the following page as they have screen shots of the pop-ups and sp.html page.

http://www.pandasoftware.com/virus_info/encyclopedia/ficha.aspx?iddeteccion=105595
Also there's a pop-up that looks like little green bugs, getting busy! =) but that's not posted prob. cuz they think it would be to vulgar.

Now I had a lot of trouble w/ this one and I was very paranoid in the final removal of the trojan cuz I tried everything and it kept coming back!  This is because this trojan is a 2 stage infection.  

1)  Puts a dll in the system32 folder in windows.  then kills some windows programs like notepad.  I know this cuz i got this message before i realized what it was ('NOTEPAD.EXE' is not a valid Win32 application') when I clicked on my notepad shortcut in my start menu.  So I right-clicked properites on the shortcut and it was a Notepad.exe file in system32 that when on the short cut caused a dos lookin icon you know looks like a blue windows title bar and white blank body.  Hopefully I explained it well enough anyway so I just inorged this and chaged it back to the windows Notepad.exe in the windows dir! NOT IN SYSTEM32 DIR!  For more info on the window files the CoolWebSearch.trojan replaces for its own purposes go here:  http://www.spywareinfo.com/~merijn/winfiles.html
this is also the place to get CWShredder under the download link in the menu, which we will need at the end of this cuz we so paranoid.   P.S.  you should read up on as much stuff here to get a good understanding of the CWS trojan and what this poor soul has to put up w/ from the CWS developers! CWS BASTARDS! hope they all die!

2) So I tried everything running Norton AV 2004, Ad-aware, Spybot S&D, CWShredder, Hijack This and etc. These programs would catch the second dll file which is a random name mine was (nbj.dll) in the system32 folder.  Ad-aware, would find these sp.html entries in my Documents and Settings\<username>\local settings\temp and temporary internet folders.  But, because it is only the second dll after a very short disinfection sp.html comes back sets your browser back to about:blank and replaces the second dll w/ a new renamed dll.

3)  I finally got this program Spy Sweeper 3.0 from www.webroot.com  good program cuz i found both the second.dll and the sp.html's and the changes to the registry to set the hompage to sp.html and all that!

Okay so the fix:

Need these programs:
Registar Lite   ------------> http://www.resplendence.com/main
CWShedder & Hijack This  ------->  http://www.spywareinfo.com/~merijn/
WINFILE   ------------>  http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Now we are going to get rid of the hidden DLL that is causing all the problems.
In Registar Lite:
=====================================
First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of reglite)

Click "AppInit_DLLs" again and clear the data value:

mine was:C:\WINDOWS\System32\d3d.dll < -- delete this line ,
'Apply' and 'ok' to set. (I understand in this case this looks like DirectX even has all the DirectX info in the properites but after i deleted it i and ran dxdiag Direct X worked fine.  This may be becuz this is an old dll that directX use to use as its files?)

Rename the NotWindows folder back to its original name Windows
========================================
Restart your computer.

After restart, try to locate the winm.dll in System32 folder but Don't attempt to delete it yet.

Go to your root drive: C:\ And create new folder.
Name it: "junk"
===============================

Run the 'Winfile' you previously downloaded an unzipped.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File --> Select files
Copy and paste to the box: and put the name of the dll you found in the AppInit_DLLs key, i.e. mine (d3d.dll)

Find and hi-lite that file.
Next in top menu select >Security>permissions
change it if you have to to full access

Then: Menu -File --> move...
In From: Copy/paste:
C:\WINDOWS\System32\(d3d).dll

In To: Copy and paste:
C:\junk\(d3d).dll

Then hit ok.

Close Winfile and check in C:\junk for that file.  (not deleting the file is to ensure if you are wrong and maybe different virus on not CWS nothing is broken you can put it back)

Restart in Safe Mode

Run Ad-Aware, Spy Sweeper, CWShedder etc.

In CWShedder look for a BHO entry that points to no-file ****.dll, del entry

del any brower hijack entry's you may have.

then search all files for notepad notice the .chm and .hlp files these are legit,  don't del these all other one's except your start menu shortcut's delete!  then take the notepad.exe file u should have downloaded of of the CWShredder winfiles section back in: windows\notepad.exe cuz thats where it belongs not in System32 folder any entry's you may have found in SYS32 del.  also i noticed notepad.exe.bak's that i did not create del them too.   Now for me i noticed a werid shortcut named notepad w/ a blue dos type icon in C:\windows\system32\config\systemprofile\Start Menu\Programs\Accessories  checking the properties on this shortcut showed it pointing to C:\windows\system32\actmovie.exe now i know this file is familiar to cuz i remember it from win98 i'm not sure if it comes w/ winxp? i dunno but i went to the directory in normal mode and cut it to c:\junk folder we made and when back to check if it was still in sys32 and it was so i deleted it then went into i a different dir and back to sys32 and BOOM back so i figured mine is part of this too so back to safe mode and del it for good!

after all this run ad-aware, spy sweeper (my favorite), cwshedder and check your hijack this log one more time just to be sure and there you go. fixed at least on mine i've been running 24 hr's no more BS!

JUST for Protection search the web on how to un-install Microsoft Java VM cuz they don't support it any more go to:  http://www.java.com/en/index.jsp  to get good updated SUN java 2.0  cuz i saw in other forums that this could be how CWS got on my computer through secrity flaw in Microsoft Java VM!

okay tell me how everyone does off and have a nice day!  Smiley
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 31, 2017, 09:25:39 PM