Aubs_UK Posted July 25, 2004 Posted July 25, 2004 To Remove “CWS” Hijacker Adware in Windows 2000 SP4 with Internet Explorer 6.0 SP1(probably works in NT and XP with some directory name changes only)Programs Needed:1. Reglite.exe << more powerful than regedit.exe and regedt32.exe(available at “ http://www.resplendence.com/reglite ”)2. Microsoft Recovery Console(an option available on your Windows CD or root drive)run “X:\i386\winnt32.exe /cmdcons”where “X” is either CD drive letter or is “C” for your root.3. Ad-aware.exe(available at “http://www.lavasoft.de ")or HiJackThis.exe(available at http://download.com.com/3000-2144-10227352.html ”)Method:There are 2 application extensions (.dll) files that need to be deleted. One is super-hidden, one is detected with the spyware detector progs above. You may find that you just need the super-hidden file to be removed if you've previously cleaned up very recently.Just a quick note about the super-hidden DLL. Why is it super-hidden? - Due to the location of the registry entry it's in, makes it unseen in the Windows environment. Follow the steps below, and you'll see why...Step 1:With “Reglite.exe” find name of hidden file:Double Click on “AppInit_DLLs” located in“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”The “value” window reveals the hidden file name, (mine was “logao.dll”, yours may be different!). In this example let’s call it “hidden.dll”.n.b. If you try and use regedit.exe or regedt32.exe, and goto the same location, you will not find any value for AppInit_DLLs.Step 2:Rename the hidden file:Close Windows and reboot using “Windows Recovery Console” (this is in your Start-up Options on boot up, e.g."Microsoft Windows 2000 Professional" /fastdetect"Microsoft Windows 2000 Recovery Console" /cmdcons <<< select this one)Go to “c:\Windows\system32\” and do two things.1st, change the file from read only by typing “attrib –r hidden.dll”2nd, rename it by typing “rename hidden.dll nasty.dll”(and remember that “hidden.dll” is for this explanation only use the name you found earlier)Now type “exit” and reboot normally to Windows.Step 3:Edit registry to remove hidden file link:Run “reglite.exe” again.Double Click on “AppInit_DLLs” located in“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”Delete the file in “value” window (the “size” window changes also automatically).“Apply” changes and exit “reglite.exe”Step 4:Scan registry to remove the second file (if there):Run “Ad-aware or HiJackThis” and scan the registry.Check the boxes to remove the following entries:“R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank”(as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.Finally delete the two .dlls (“hidden.dll” and “obvious.dll”)You should be running again.n.b. You may find your antivirus program picks up the hidden.dll as a download trojan and it may remove it immediately
mazin Posted July 26, 2004 Posted July 26, 2004 I haven't got it yet. But, I'll save your post to my disk, just in case.
MCT Posted July 26, 2004 Posted July 26, 2004 also, just 2 prevent further infections, download SpywareBlaster, it will block activex & bad cookies & restrict bad sites, & its free http://www.javacoolsoftware.com/spywareblaster.htmlsince installing this, i never get anyspyware , of course i dont go "looking" either, meaning, i dont download any apps that contain adaware/spyware, & with this app, it blocks 100% of sites on the internet & enables u 2 add your own protectionregards
Aubs_UK Posted July 26, 2004 Author Posted July 26, 2004 Seems to be picked up now by Symantec, with updated and easier removal instructions:Classed as = backdoor.agenthttp://securityresponse.symantec.com/avcen...or.agent.b.htmln.b. For those that don't know, CWS stand for CoolWebSearch (very nasty spyware!)
mazin Posted July 26, 2004 Posted July 26, 2004 Aubs_UKTill I get infected , I should thank you for reglite. Really nice app.
Noise Posted July 26, 2004 Posted July 26, 2004 Curious.I just checked my registry for one of these "superhidden" registry entries. My AppInit_DLLs value says InstallHook.dll is this a trojan or something I need to be worried about?
mazin Posted July 26, 2004 Posted July 26, 2004 As I can understand from Aubs_UK, your registry editor isn't capable of revealing hidden DLLs.
Aubs_UK Posted July 26, 2004 Author Posted July 26, 2004 I just checked my registry for one of these "superhidden" registry entries. My AppInit_DLLs value says InstallHook.dll is this a trojan or something I need to be worried about?Hi,I recommend you use RegLite (available at http://www.resplendence.com/reglite).Goto the same location in the registry, double-click on the AppInit_DLLs value, and it will tell you the location of the file.Next, try and locate the file in Windows Explorer (turning on 'View All Files' - hidden + system). If you can see it, virus scan it - using latest definitions.However, if you can't see the file try the steps on my first post at the top. This makes it visable in a Windows environment, and therefore scannable.Good Luck
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now