Re: CWS.SEARCHX CoolWebSearch won't go away!

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: MowGreen [MVP] (mowgreen_at_nowandzen.com)
Date: 05/20/04 

Date: Thu, 20 May 2004 11:13:53 -0700

Richard,

I copied and pasted the response without ascertaining all the info
given was accurate. My fault ... I'll make the person who sent it to
me pay for this transgression :)

Please go here and Register :
http://forum.aumha.org/profile.php?mode=register

Then, post the HijackThis log :
http://forum.aumha.org/viewforum.php?f=30

Sorry about the confusing/inaccurate instructions .

MowGreen [MVP]
*-343-* Never Forgotten

. wrote:

> Mr. Mow,
> Thanks for the fast response. I had a few problems while following your
> instructions.
>
> #1--The link you have for CWShredder points to Hijack This. I ran both of
> these programs just to be sure.
>
> #2--The findall output said that the culprit DLL was hlped.dll in the
> windows\sytem32 folder. This file was not in this directory (or anywhere
> else on my computer for that matter), so I could not move it to C:\junk. I
> didn't know what to do from here, so I ran Hijack This to see what it said.
> It listed a BOH (or something like that, can't remember exactly what it
> said) that something about search (sorry, shoulda written more
> down)--anyways, the file was boaaofa.dll. I thought this might be some sort
> of 'culprit dll,' so I followed the rest of the instructions as this
> boaaofa.dll file as the culprit dll file. (this file was located in
> C:\windows\system32)
>
> #3--I'm not sure what you mean when you say 'next repeat the above steps,
> substitute the 'secondary dll' From: "text/html" as seen in the
> "output.txt."
>
> Can you give me some suggestions on the problems I ran into?
>
> Thanks so much for your help,
> Richard
>
>
> "MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
> news:e8gT4aEPEHA.3264@tk2msftngp13.phx.gbl...
>
>>Variant 38: CWS.Searchx - About:blank
>>http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx
>>
>>If "about:blank" is your issue, follow these steps laid out by
>>Mike Burgess, MVP :
>>
>>" Download: "RepairAppInit.reg" (XP\2K only!)
>>http://www.mvps.org/winhelp2002/RepairAppInit.reg
>>Do not do anything with this file yet, it will be needed later.
>>
>>Download: CWShredder (***NOTE: as stated above, if you already have
>>v.1.57, skip this step***)
>>http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>>Unzip, but do not run it yet, it will be needed later.
>>
>>Download: Ad-Aware
>>http://www.lavasoft.de/software/adaware/
>>Install, but do not run it yet, it will be needed later.
>>
>>Download: Find-All.zip
>>http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
>>Unzip, but do not run it yet, it will be needed later.
>>
>>Download: WINFILE.zip
>>http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
>>Unzip, but do not run it yet, it will be needed later.
>>
>>Download: Registrar Lite [freeware]
>>http://www.resplendence.com/download
>>Install, but do not run it yet, it will be needed later.
>>
>>[Step1]
>>
>>Double-click the included "Find-All.bat" file from Find-All.zip.
>>Generates: "output.txt"
>>Note: if infected you will see:
>>
>>Locked file(s) found...
>>C:\WINDOWS\System32\<filename> +++ File read error
>>Where "<filename>" is the hidden invisable installer.
>>Note: "+++ File read error" is not an error, this just identifies the
>>culprit.
>>
>>[Step2]
>>
>>Run "Registrar Lite" and navigate to:
>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Windows]
>>Double click on "AppInit_DLLs" entry (right pane)
>>The size will likely be something other than "1" (if infected)
>>IMPORTANT: Make a note of the filename and location (folder)
>>
>>[Step3]
>>
>>Rename the highlighted "Windows" key (left pane)
>>To rename: Right-click and select: Rename
>>(type) NoWindows
>>
>>
>>Double-click "AppInit_DLLs" again (right pane)
>>Clear (delete) the "Value" containing the .dll and click Ok.
>>
>>
>>IMPORTANT: Rename the "NoWindows" key (left pane)
>>To rename: Right-click and select: Rename
>>(type) "Windows" (no quotes) and close RegLite.
>>
>>[Step 4]
>>
>>Using Windows Explorer go to your root drive: (typically) "C:\"
>>Click File (up top) select: New > Folder
>>(type) "Junk" (no quotes)
>>
>>Open Winfile
>>
>>Navigate to System32 folder.
>>Click File (up top) select: Move
>>
>>Copy and paste this into the 'From' box:
>>C:\WINDOWS\System32\<filename>.dll
>>Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
>>
>>Note: where "<filename>" = culprit dll from "output.txt"
>>
>>Click OK. Close Winfile
>>Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
>>file.
>>
>>At this point see if you can rename the "<filename>.dll"
>>Do this several time, changing the name and extension each time.
>>Then see if you can "Move" to "A:\" (floppy)
>>
>>[Step 5]
>>
>>Locate: "RepairAppInit.reg" right-click and select: Merge
>>Ok the prompt
>>
>>[Step 6]
>>
>>Open Regedit (Start | Run (type) "regedit" (no quotes)
>>Use the Search function for the <filename>.dll
>>Click: Edit (up top) select: Find
>>(type) <filename>.dll, click: Find Next
>>
>>Note: where "<filename>" = culprit dll from "output.txt"
>>
>>Remove all instances found.Press "F3" to continue searching
>>until you see the "Completed" message.
>>
>>Next repeat the above steps, subsitute the "secondary dll"
>>From: "text/html" as seen in the "output.txt"
>>
>>[Step 7]
>>
>>Run CWShredder and reboot.
>>
>>[Step 8]
>>Run Ad-Aware
>>
>>Reconfigure Ad-Aware for Full Scan:
>>Please update the reference file following the instructions here:
>>http://www.lavahelp.com/howto/updref/index.html
>>
>>Launch the program, and click on the Gear at the top of the start
>>screen.
>>
>>Click the "Scanning" button.
>>Under Drives & Folders, select "Scan within Archives".
>>Click "Click here to select Drives + folders" and select your
>>installed hard
>>drives.
>>
>>Under Memory & Registry, select all options.
>>Click the "Advanced" button.
>>Under "Log-file detail", select all options.
>>Click the "Tweaks" button.
>>
>>Under "Scanning Engine", select the following:
>>"Include additional Ad-aware settings in logfile" and
>>"Unload recognized processes during scanning."
>>Under "Cleaning Engine", select the following:
>>"Let Windows remove files in use after reboot."
>>Click on 'Proceed' to save these Preferences.
>>Please make sure that you activate IN-DEPTH scanning before you proceed.
>>
>>After the above post a fresh [HijackThis] log [to an appropriate
>>forum] ...
>>--
>>
>>Disclaimer: Renaming the "Windows" key modified some security settings.
>>
>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Windows]
>>
>>Right-click the "Windows" key, select: Permissions
>>
>>[Example]
>>Before renaming the "Windows" key:
>>
>>"Path"
>>"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Windows"
>>"Read":
>>*"Administrators
>>*Power Users
>>*Users"
>>"Write"
>>*"Administrators"
>>
>>--
>>[Example]
>>
>>After Renaming the key:
>>
>>"Path"
>>"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Windows"
>>"Read":
>>***"Everyone"***
>>"Write"
>>*"Administrators
>>--
>>
>>You need to check that and if 'Everyone' was added (as seen above)
>>You need to reset your original settings as follows:
>>Note: do this after removing the infection.
>>
>>Right-click "Windows", select: Permissions
>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Windows]
>>
>>Click Advanced [button]
>>If the "inherit permissions" box is checked = Uncheck it.
>>Then select "COPY" on the prompt.
>>
>>Select "Everyone Group" (if listed) and remove. (only the group)
>>You can individually view/edit each group settings.
>>Be sure "Administrators" and "System" have full control on all.
>>Note: Creator owner full control on Sub keys only.
>>"Power users" and "users" = "read control". "
>>
>>
>>
>>MowGreen [MVP]
>>*-343-* Never Forgotten
>>
>>
>>Richard Hunt wrote:
>>
>>
>>>Hello,
>>>I've tried everything to get rid of cws.searchx including running
>>>cwshredder, search and destroy, adaware, and hijack this (and deleting
>>>appropriate entries); deleting regsitry entries; and every other thing
>
> you
>
>>>can think of, and the darn thing keeps coming back within 20 minutes of
>>>getting rid of it. I've tried running these programs in safe mode to no
>>>avail. I'm using all the updated versions of each program.
>>>
>>>Could someone give me some advice on what to do next? I really don't
>
> want
>
>>>to have to reinstall windows or anything drastic like that. I
>
> appreciate
>
>>>any help you guys can give me.
>>>
>>>Thanks
>>>Richard
>>>
>>>
>>
>
>

Quantcast