Re: coolwebsearch/res://bsahd.dll/index.html#12802

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 07/04/04

  • Next message: Sandi - Microsoft MVP: "Re: Something to remove Download. Trojan or pesky spyware??? Plz Help!!!" 
    Date: Sat, 3 Jul 2004 23:57:29 -0700

    Hi Russell - We've been seeing this a lot lately, and it's a very difficult
    CWS parasite variant to remove. Try Basic Cleaning, below first and then if
    necessary Approach 1 and/or Approach 2 and/or Approach 3.

    Before you try to remove spyware using any of the programs below, download a
    copy of LSPFIX from any of the following sites:

    http://www.cexx.org/lspfix.htm
    http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
    XP) The process of removing certain malware may kill your internet
    connection. If this should occur, this program, LSPFIX, will enable you to
    regain your connection

    Approach 1 - You can try this AT YOUR OWN RISK. I normally wouldn't advise
    using a malware provider's uninstall, but this particular approach has been
    reported to work if you have the about:blank CWS variant which leads you to
    a Search page. Paste the following IP into your browser:

    195.190.118.131

    On the screen you arrive at, you see a "Search For" window, and below it a
    red "Uninstall Software". Download their uninstaller, uninstall.exe. At
    this point I would either use TotalUninstall or make a complete
    backup/Restore Point of my system for safety's sake (on the basis of "at
    least keep what you've got"). Total Uninstall,
    http://www.geocities.com/ggmartau/tu.html or direct dwnld here:
    http://files.webattack.com/localdl834/tun234.zip

    Run this uninstall program program that you downloaded from the malware
    site, then UPDATE them and go to Safe mode to run UPDATED versions
    CWShredder, AdAware and SpyBot per the directions in Basic, below.

    Approach 2 - If you've already tried CWShredder to get rid of this parasite
    (See below, v.159.0.1 or better and fully updated before use), then take a
    look at this thread about manual removal of this parasite:

    http://www.akadia.com/services/about_blank_virus.html
    and this one: http://www.daniweb.com/techtalkforums/thread5531.html
    and this one: http://computercops.biz/article-5199-nested-0-0.html

    Approach 3 - I don't usually recommend anything but freeware that I've
    confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, here:
    http://www.adwareaway.com/ claims to fix it automatically.

    Basic Cleaning - Note that this symptom often indicates the possibility of
    other malware. You might want go to this page at Jim Eshelman's site, here:
    http://aumha.org/a/noads.htm or here:
    http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
    patient), while an analysis of a number of possible parasites on your
    machine will be made to help you identify and remove them. NOTE: You will
    need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad
    Blocking software which interferes with Java Scripting for this scan to
    work. You should get a message between the two lines of **** giving the
    results of the scan.

    All of these removal tools should be run from Safe mode
    when possible

    For the general hijack case, the best way to start is to get Ad-Aware 6.0,
    Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
    UPDATE and run this regularly to get rid of most "spyware/hijackware" on
    your machine. If it has to fix things, be sure to re-boot and rerun
    AdAware again and repeat this cycle until you get a clean scan. The reason
    is that it may have to remove things which are currently "in use" before it
    can then clean up others.

    Another excellent program for this purpose is SpyBot Search and Destroy
    available here: http://security.kolla.de/ SpyBot Support Forum here:
    http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
    using both normally. After UPDATING and fixing things with SpyBot S&D, be
    sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
    clean "no red" scan. The reason is that SpyBot sometimes has to remove
    things which are currently "in use" before it can then clean up others.

    Note that sometimes you need to make a judgement call about what these
    programs report as spyware. See here, for example:
    http://www.imilly.com/alexa.htm

    A currently common parasite is some malware called CoolWebSearch. Do the
    following:

    Download, UPDATE before running, and run:
    http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
    Be sure to close all instances of IE and OE. You may also get it here if
    that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

    There's a good tutorial about CWS and using CWShredder here:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain

    BE SURE that you get v.159.0.1 or later!

    You will need to show Hidden files first and then at the end clear the
    malware garbage from your System Restore backups after you've cleaned up.
    It's best to perform CWShredder (and most other malware fixers too) from
    Safe mode and then reboot. AFTER cleaning things up, then you can disable
    and then re-enable System Restore. See ******** below.

    The following links give instructions on how to do these various functions:

    HOW TO Restart in Safe Mode
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    HOW TO Enable Hidden Files
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

    HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
    use the suggested procedure for XP at the ******'s)
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    (WinXP)
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
    (WinME)

    Then download and run:
    http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
    tabs and remove any restrictions that the parasite has put in place.

    Now download and run:
    http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
    your search functions if they've been affected (as they probably will have
    been).

    Be sure that you also download and install hotfix Q816093, here:

    http://support.microsoft.com/?kbid=816093

    which blocks the exploit upon which this parasite family depends.

    If they don't fix it then start here:

    Download HijackThis, free, here:
    http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
    fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
    You may also get it here if that link is blocked:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

    In Windows Explorer, click on Tools|Folder Options|View and check "Show
    hidden files and folders" and uncheck "Hide protected operating system
    files". (You may want to restore these when you're all finished with
    HijackThis.)

    Unzip the downloaded HijackThis to any convenient folder, start it then
    press Scan. Click on SaveLog when it's finished which will create
    hijackthis.log. Now click the Config button, then Misc Tools and click on
    Generate StartupList.log which will create Startuplist.txt

    Then go to one of the following forums:

    Spyware and Hijackware Removal Support, here:
    http://216.180.233.162/~swicom/forums/

    or Net-Integration here:
    http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

    or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

    Sign in, then copy and paste both files into a message asking for
    assistance, Someone will answer with detailed instructions for the removal
    of your parasite(s).

    *******
    ONLY IF you've successfully eliminated the malware, you can now make a new,
    clean Restore Point and delete any previously saved (possibly infected)
    ones. The following suggested approach is courtesy of Gary Woodruff: For XP
    you can run a Disk Cleanup cycle and then look in the More Options tab. The
    System Restore option removes all but the latest Restore Point. If there
    hasn't been one made since the system was cleaned you should manually create
    one before dumping the old possibly infected ones.
    *******

    Once you get this cleaned up, you might want to consider installing the
    SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
    happening in the future:

    http://www.javacoolsoftware.com/spywareblaster.html>= (Prevents malware
    Active
    X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
    memory load - but keep it UPDATED) The latest version as of this writing
    will prevent installation or prevent the malware from running if it is
    already installed, and it provides information and fixit-links for a variety
    of parasites.

    http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
    install malware) Keep it UPDATED. Both Very Highly Recommended

    Finally, go to Windows Update and ensure that ALL Critical updates are
    installed. 

    -- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
 In news:O996OWXYEHA.3480@TK2MSFTNGP11.phx.gbl,
Russell B <jmail@nospamdewplace.com> typed:
> Doesn't, tried it.
>
> Still working on the problem.
>
> We get an about:blank for the start page. The popup shows 'System
> Performance Wizard'
>
> Russell
>
>
> "Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
> news:%23NNxwNXYEHA.840@TK2MSFTNGP10.phx.gbl...
>> Hi Russell -
>> I'm informed that the 01R325 AdAware update of 6/28 supposedly completely
>> removes this; however, I haven't been able to independently verify this.
Try
>> it first, and if it doesn't work then,
>>
>> See these threads first:
>>
>> <http://forums.spywareinfo.com/index.php?showtopic=7447>
>> <http://forums.spywareinfo.com/index.php?showtopic=7261>
>> <http://forums.spywareinfo.com/index.php?showtopic=7281>
>>
>>
>>
>>
>> Then from merijn, here: <http://www.spywareinfo.com/~merijn/index.html>
>>
>>
>>
>>
>> June 18, 2004:
>>
>> Please stop emailing me about the new CWS variant that hijacks you to
>> res://<random>.dll/sp.html#96676. I am aware of this new thing, but it's
a
>> beast to remove.
>> A solution is being worked on, see this thread on the SWI forums
>> <http://forums.spywareinfo.com/index.php?showtopic=7447>.
>>
>> If it's not working for you, or it's too complicated, I heard from
several
>> people that this workaround works as well:
>>
>> Open the DLL you get hijacked to in Notepad
>>
>> Select all content (Ctrl-A) and delete it
>>
>> Save the file and exit Notepad
>>
>> Find the file in Explorer, right-click it, select Properties, put a
>> checkmark in 'Read-Only' and click OK.
>>
>> If you can't find the DLL file, make sure your settings allow you to view
>> "Hidden files". Open up any explorer windows and click on "Tools",
"Folder
>> Options", "View" and be sure to check off "Show Hidden Files and
Folders".
>>
>>
>>
>>
>> --
>> Please respond in the same thread.
>> Regards, Jim Byrd, MS-MVP
>>
>>
>>
>>  In news:ey%23zQEXYEHA.212@TK2MSFTNGP12.phx.gbl,
>> Russell B <jmail@nospamdewplace.com> typed:
>>> I have been fighting this spyware for over a two weeks on a client's
>>> computer.  We have done run HiJackthis cleaned the files.  Then ran
>>> CWShredder, Hijackthis showed it clean.
>>>
>>> This lasted a day and the problem
>>> was back, I suspect the trojan is hiding in other user accounts ie
>>> administrator on the computer.
>>>
>>> The popups go to (d8t.biz is own by Pan Koudelka in Prague Czech
Republic
>>> email pankoudelka@yahoo.com) :
>>>
>>>              http://c1dcon.d8t.biz/popup2php?pin=1
>>>             http://c1dcon.d8t.biz/popup3php?pin=1
>>>             http://c1dcon.d8t.biz/popup5php?pin=1
>>>             http://c1dcon.d8t.biz/popup6php?pin=1
>>>             http://c1dcon.d8t.biz/popup7php?pin=1
>>>             http://c1dcon.d8t.biz/popup14php?pin=1
>>>
>>> These are the items that HiJackThis found in our case:
>>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
>>> =file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R1 -HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
>>> =file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>>> file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
>>> =file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
>>> =file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>>> file://C:\DOCUME~1\Doug\LOCALS~1\Temp\sp.html
>>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
>>> O2 - BHO: (no name) - {6AA0199E-AE54-4ABC-B697-021FF87084E0} -
>>> C:\WINDOWS\System32\canhcaa.dll
>>>
>>> I have several days of time in this problem.  My question is why is this
not
>>> a MAJOR priority for Microsoft
>>> to fix.  Where is the critcal update.  The Coolwebsearch has been know
for
>>> many months there are several articles:
>>> http://www.wired.com/news/infostructure/ 0,1377,63280,00.html
>>> http://www.theregister.com/2004/06/29/cws_shredder/
>>>
>>> The Register is not the most credible source but still interesting
>>> information.  I am now looking for software to buy or download that will
>>> clean thiis and keep this off my other computers.  And hope that the
>>> authorities will find the time to go after the criminals that produce
and
>>> use this type of software.
>>>
>>> Russell
>>>
>>>
>>>
>>>
>>> "hamongb@bellsouth.net" <anonymous@discussions.microsoft.com> wrote in
>>> message news:2686f01c46166$3134aa30$a301280a@phx.gbl...
>>>> Nice post Trafton.  I will definitely make my way over to
>>>> the site you noted.  I have been struggling with this
>>>> tricky little mutha for about 10 hours now, on and off.
>>>> It shows up in my registry repeatedly associated with
>>>> res://bsahd.dll/index.html#12802 settings to appropriate
>>>> my internet homepage.  I have downloaded multiple
>>>> ad/spyware apps, including those previously noted, with no
>>>> success.  This little trojan has planted itself deep and
>>>> regenerates after login.  I've installed a new firewall
>>>> with fairly restrictive settings after running numerous
>>>> cleansings with the "Spy Fighters" previously noted. They
>>>> have located some of the offending entries (regerences to
>>>> res://bsahd.dll/index.html#12802) in the registry, but
>>>> they appear again after removal.  The entries, once
>>>> removed, stay gone even after login.  They rear their
>>>> nasty little heads again as IE is launched (on my machine
>>>> anyway).  Thay should give me a great clue as where to
>>>> look, but I've dabbled with this and didn't want to waste
>>>> the whole Saturday on this nonsense.  As I type, another
>>>> pop-up appeared to sell the offending party's POPUP
>>>> Blocker.  This is nothing short of friggin blackmail and
>>>> outright espionage and the government needs to pay closer
>>>> attention to this crap.  Not that I'm bitter, but it has
>>>> been 10 or so hours of my life wasted (although I have
>>>> kind of enjoyed the hunt).  Anyhow, thanks a bunch for
>>>> another path to explore.
>>>>
>>>> Comwrapper
>>>>
>>>> As
>>>>> -----Original Message-----
>>>>> Hi Wayner,
>>>>>
>>>>> CWS is probably the nastiest piece of spyware out there
>>>> these days. It's
>>>>> invasive, tricky, and difficult to remove. Fortunately,
>>>> there is a program
>>>>> out there that is able to remove most versions:
>>>>>
>>>>> http://www.majorgeeks.com/download4086.html
>>>>>
>>>>> More information is available about this program here:
>>>>>
>>>>> http://www.spywareinfo.com/~merijn/downloads.html
>>>>>
>>>>> As CWS is evolving rapidly, the best defense against it
>>>> is avoiding future
>>>>> infection by setting Internet Explorer security for the
>>>> Internet zone to
>>>>> High.
>>>>>
>>>>> Hope this helps!
>>>>>
>>>>> Sincerely,
>>>>> Benjamin "Trafton" Johnstone-Anderson
>>>>> Microsoft MVP - Windows Security
>>>>> Remove "SPAM" from email address to reply!
>>>>> Security Manifest: www.msmvps.com/trafton/
>>>>>
>>>>> "Wayner" <anonymous@discussions.microsoft.com> wrote in
>>>> message
>>>>> news:254a001c46050$a10eac00$a401280a@phx.gbl...
>>>>>> Hi,
>>>>>> Has anyone seen a variant of CWS that seems to use
>>>> Office
>>>>>> 2003 install? I have tried to remove the program
>>>>>> manually, Ad Aware and Spybot do not remove it.  After
>>>>>> manually deleting registery entries, on reboot I get
>>>>>> the "installing MS Office 2003" dialog box - like when
>>>>>> you first open a new profile, and then the Web page is
>>>>>> set back to the CWS stuff.  If I cancel this install a
>>>>>> few times it goes away, but then when I click on IE I
>>>>>> again get the "Installing MS Office 2003" dialog box and
>>>>>> the CWS comes back.  The machine is an XP SP1, all
>>>>>> security updates, Symantec corporate, Adaware and spybot
>>>>>> loaded.
>>>>>> Thanks - Wayner
>>>>>
>>>>>
>>>>> .
  • Next message: Sandi - Microsoft MVP: "Re: Something to remove Download. Trojan or pesky spyware??? Plz Help!!!"
    • Quantcast