neowin.net

Windows XP Pro

My broser keeps getting hijacked by CWS. CWShredder says its CWS.HiddenDLL and it removes it, or so it says. Only to come back a efw reboots later.

When doing HijackThis without the CWShredder program, it finds a few problematic entries...

it finds that two of the IE webpages are set to CWS standard page:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html

Then it finds:
O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll

And:
O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll

Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.

And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.


Now...
If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns. If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.

After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder. But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).

I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.

I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location. But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.
I used RegistrarLite and it said the key size was 0, that nothing was there.

So I'm clueless. I have no idea how to remove this thing.

Anyone have any ideas?

This post has been edited by Tokar: Feb 12 2005, 07:30

Before running CWShredder, are you turning off system restore? Also try MS anti-spyware. I have found it pretty good in removing CWS.

ive had system restore off since day 1.

MS Antispyware doesnt find anything to tell you the truth. Excuse me, I'm using GIANT Antispyware, most recent version (1.0.301 or something), which is the last version before it became MS Antispyware. It finds nothing.

Like the man said, move up to the real deal...

Hmm. This does look like something I have seen before. It may be a very nasty variant of CWS, but I'm not 100% sure at this point.

See my post here from a few weeks ago. It's long and detailed, but make sure you read all of it carefully and see if it will work for you.

If I remember correctly, your homepage in Internet Explorer is most likely hijacked and is set to about:blank. When this variant of CWS isn't on your computer, about:blank is supposed to show a blank white page. Since the CWS is on your computer, it likely shows some search engine-like page.

This post has been edited by Hawkeye: Feb 12 2005, 10:18

There is a new version of cwsshredder somewhere. Get some antispyware soft ( ad-aware, spybot, spywareguard, spywareblaster and YES Microsoft antispyware ) clean your sys and wait a day. Do the same if CWS come back. You can beat spyware !!!

OK...

marsden: GIANT is the same as Microsoft. it uses the same engine and the same antispyware definitions. It doesnt matter which u use. In fact GIANT is a bit better since it comes with some built in code to prevent certain activeX hijacks, something which Microsoft removed and hopefully will add at a later time (it was called System Innoculation)...GIANT tells current users not to upgrade, rather to let their current subscription to run its length.

Hawkeye: yeah that thread, the one i had replied in. if you look in my original post in THIS thread, i had said there was nothing showing on App Init DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs...that is the location, i checked there. That was the first thing i did actually...i went and read your post when i first got the infection.

buzz99: CWShredder 2.13. As i said in my original post it finds CWS.HiddenDLL. It says it removes it, but it keeps coming back. I have spyware blaster, but that isnt really a spyware remover, rather something that secures your computer to protect against further infection. I dont need or want AdAware or SpyBot. And as i said Microsoft = GIANT...its the exact same product. Ive just waited a day and it came back after cleaning.


heres the only update i have...
I was deleting the file c:\documents and settings\<user>\local settings\temp\se.dll....which it was first running. But after i deleted that it would put itself in c:\windows\temp, same dll, and initializing it there, which i didnt notice until after i made the post. I thought deleting it would fix it, but it didnt.

are you closing all windows (IE and explorer) when you run CWShredder? Also, it would not hurt to try ad-aware and spybot (both detect coolwebsearch as well); you can uninstall them if they don't remove it.

you should try using a browser like firefox. unless you have to surf websites that use activex, and other microsoft unique features, firefox is a much more secure product.

thanks but no thanks.

As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion. Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice. Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).



As fas as the guy who said about closing IE and such. yeah IE is closed when i run it.

I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?

if yes, i'll let you know my results after the runs.

ok...now this time Kaspersky, when opening Internet Explorer and getting the about:blank page, says that se.dll is infected with:
Trojan.Win32.startpage.gn

And it deletes it.

It deletes the two se.dll files when i open up their folders:
c:\documents and settings\<user>\local settings\temp
c:\windows\temp

Now that I have deleted the DLL's (they no longer exist), every program that relies on some component of windows or something crashes since its tied to the missing DLL i believe. It wont be until i reboot that everything fixes itself.
This includes explorer.exe, Internet Explorer, Outlook Express...to name a few.


Everytime i run an explorer window or internet explorer window i get this...its as if it creates the DLL now when i open it.

This post has been edited by Tokar: Feb 13 2005, 06:13

Simmer down... It really isn't that big of a deal. I was just stating a known fact about firefox. It isn't microsoft's fault that it has 95% of the market share, and it subject to numerous vulnerabilities... anyways, you can always try blocking the program from running through software policies if you are runnning XP Professional.

start, run, sfc /scannow to replace any damaged/missing system files

also yes run both adaware http://www.lavasoft.de/ & spybot http://www.safer-networking.org/

im not upset, nor is the hair on my back raising up like a ****ed off cat. Im just stating what I think when people suggest that.

Tokar, my apologies for making such a generic reply and not reading through your entire post. It was about 5:00 AM in the morning when I posted the first time, half asleep.

I did read your whole post this time. I actually did some research on the side with this also, and it actually appears that there is a newer CWS variant going around that also has the about:blank homepage hijack in Internet Explorer, but isn't fixed using the methods for the other one. History may actually come to show this variant more insidious than the other one from before!

Here is one thing that may or may not work, but there is no harm in trying it. It's a removal tool from Symantec that is supposed to remove the particular spyware/trojan responsible for it. It may or may not work if you have the new variant, but as I said, there is no harm in trying. Here it is: Backdoor.Agent.B Removal Tool.

Post here to let us know if you have any success at all with it. It will scan your hard drive and remove it if it finds anything, or report that it found nothing if that is the case.