CWS Super Hidden DLL

[Aubs_UK]

To Remove “CWS” Hijacker Adware in Windows 2000 SP4 with Internet Explorer 6.0 SP1

(probably works in NT and XP with some directory name changes only)

Programs Needed:

1. Reglite.exe << more powerful than regedit.exe and regedt32.exe

(available at “ http://www.resplendence.com/reglite ”)

2. Microsoft Recovery Console

(an option available on your Windows CD or root drive)

run “X:\i386\winnt32.exe /cmdcons”

where “X” is either CD drive letter or is “C” for your root.

3. Ad-aware.exe

(available at “http://www.lavasoft.de ")

or

HiJackThis.exe

(available at http://download.com.com/3000-2144-10227352.html ”)

Method:

There are 2 application extensions (.dll) files that need to be deleted. One is super-hidden, one is detected with the spyware detector progs above. You may find that you just need the super-hidden file to be removed if you've previously cleaned up very recently.

Just a quick note about the super-hidden DLL. Why is it super-hidden? - Due to the location of the registry entry it's in, makes it unseen in the Windows environment. Follow the steps below, and you'll see why...

Step 1:

With “Reglite.exe” find name of hidden file:

Double Click on “AppInit_DLLs” located in

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”

The “value” window reveals the hidden file name, (mine was “logao.dll”, yours may be different!). In this example let’s call it “hidden.dll”.

n.b. If you try and use regedit.exe or regedt32.exe, and goto the same location, you will not find any value for AppInit_DLLs.

Step 2:

Rename the hidden file:

Close Windows and reboot using “Windows Recovery Console”

(this is in your Start-up Options on boot up, e.g.

"Microsoft Windows 2000 Professional" /fastdetect

"Microsoft Windows 2000 Recovery Console" /cmdcons <<< select this one)

Go to “c:\Windows\system32\” and do two things.

1st, change the file from read only by typing “attrib –r hidden.dll”

2nd, rename it by typing “rename hidden.dll nasty.dll”

(and remember that “hidden.dll” is for this explanation only use the name you found earlier)

Now type “exit” and reboot normally to Windows.

Step 3:

Edit registry to remove hidden file link:

Run “reglite.exe” again.

Double Click on “AppInit_DLLs” located in

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\”

Delete the file in “value” window (the “size” window changes also automatically).

“Apply” changes and exit “reglite.exe”

Step 4:

Scan registry to remove the second file (if there):

Run “Ad-aware or HiJackThis” and scan the registry.

Check the boxes to remove the following entries:

“R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\jheckb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank”

(as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.

Finally delete the two .dlls (“hidden.dll” and “obvious.dll”)

You should be running again.

n.b. You may find your antivirus program picks up the hidden.dll as a download trojan and it may remove it immediately

[mazin]

I haven't got it yet.

But, I'll save your post to my disk, just in case.

[MCT]

also, just 2 prevent further infections, download SpywareBlaster, it will block activex & bad cookies & restrict bad sites, & its free

http://www.javacoolsoftware.com/spywareblaster.html

since installing this, i never get anyspyware , of course i dont go "looking" either, meaning, i dont download any apps that contain adaware/spyware, & with this app, it blocks 100% of sites on the internet & enables u 2 add your own protection

regards

[Aubs_UK]

Seems to be picked up now by Symantec, with updated and easier removal instructions:

Classed as = backdoor.agent

http://securityresponse.symantec.com/avcen...or.agent.b.html

n.b. For those that don't know, CWS stand for CoolWebSearch (very nasty spyware!)

[mazin]

Aubs_UK

Till I get infected , I should thank you for reglite. Really nice app.

[Noise]

Curious.

I just checked my registry for one of these "superhidden" registry entries. My AppInit_DLLs value says InstallHook.dll is this a trojan or something I need to be worried about?

[mazin]

As I can understand from Aubs_UK, your registry editor isn't capable of revealing hidden DLLs.

[Aubs_UK]

I just checked my registry for one of these "superhidden" registry entries. My AppInit_DLLs value says InstallHook.dll is this a trojan or something I need to be worried about?

Hi,

I recommend you use RegLite (available at http://www.resplendence.com/reglite).

Goto the same location in the registry, double-click on the AppInit_DLLs value, and it will tell you the location of the file.

Next, try and locate the file in Windows Explorer (turning on 'View All Files' - hidden + system). If you can see it, virus scan it - using latest definitions.

However, if you can't see the file try the steps on my first post at the top. This makes it visable in a Windows environment, and therefore scannable.

Good Luck