CWS home search assistant and folders being renamed

I am running XP.

I ran CWSchredder and it did not find any CWS malware on my system. However, Spyware Doctor indicated that my computer has CWS.Home Search Assistant malware on it. Just after using Spyware Doctor to fix the problem, my computer really was screwed up. I then used System Restore to get back to where I was.

On looking at my folders, some of the folders under "My Documents" have been renamed to names such as SUVRDLHZ, PJTPKRWN, FHAWAPVV, and BEOSNDAB.

Help! What can I do to fix these problems?

 

Welcome to MajorGeeks.com, please follow the steps below:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

 

Hi,

I ran all the steps in READ & RUN ME FIRST Before Asking for Support.

Spybot Search & Destroy found and fixed three problems:
1. Registry Cleaner, Program directory
C:\Document and Settings\Administrator.ORGANIZA-DWNB4A\Application Data\Registry Cleaner\
2. Registry Cleaner, Settings
HKEY_USERS\S-1-5-21-682003330-1409082233-839522115-500\Software\RegistryOptimizer.com
3. Windows Security Center.AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microosft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft Antispyware detected an attempt to change security level trusted site (which I blocked)

I could not connect to the internet in safe mode and ran the online scanning in normal mode.

Bitdefender found and deleted two items (see attached file)
1. C:\Program Files\NZSearch\Uninstall.exe
2. A0004153.exe

Panda ActiveScan found two adwares (see attached file)
1. startpage.amb
2. gator

Oddly, when I went to save the Panda ActiveScan file, the option to "Save type as" was in spanish as in Save type as Documentos de texto (*.txt)

Another thing, a new folder appeared on my harddrive today, entitled
"C:\Document and Settings\Administrator.ORGANIZA-DWNB4A"

Attached is my Hyjack This log

My computer still is acting funny. Please help!

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

I run Ewido Security Suite and attached the results. Basically, no infected objects were found. However, on rebotting in normal mode, the following message appeared:

Acrobat IEHewlper:iexplore.exe - Application form
The instruction at "0x1001cbf1" referenced memory at "0x1001cbf1". The memory could not be "read". Click on OK to terminate the program.

I selected the X on the window to close the box instead of clicking on OK.

I reran hijackthis and attached the file.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - (no file)

O3 - Toolbar: (no name) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - (no file)

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
(If you know these entries, keep them)

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you complete the above, reboot to normal windows and procede with the below...

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Finally, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above, reboot and attach a fresh HJT log. Also let me know how things are running.

 

1. HIJACK THIS
After checking the boxes of the HiJack This items and clicking Fix, Windows Antispyware posted the following Notice:

“An Internet Explorer Start Page URL change require your approval. The Internet Explorer URL for your Start Page is attempting to be changed from
http://hsremove.com/done
to
about:blank
Then default URL for your Start Page is http://www.msn.com.

I chose to block the above Windows Antispyware approval request.

I reran HiJack This again and noticed that the following HiJack This items did not delete in my first attempt.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

I checked this item, selected Fix. However, I don’t think it’s deleted.

2. ADAWARE
I was unable to update to the 04.01.2006 definitions file and used the 28.12.2005 definitions file during the scan.

3. Ad-Adaware and Spybot
Your instructions did not say to run Ad-Adaware and Spybot in Safe Mode, so I ran them in Normal mode.

4, Spybot
Spybot Search & Destroy found and fixed two problems:
1. Registry Cleaner, Program directory
C:\Document and Settings\Vincent\Application Data\Registry Cleaner\
2. Registry Cleaner, Settings
HKEY_USERS\S-1-5-21-682003330-1409082233-839522115-1004\Software\RegistryOptimizer.com

These Spybot problems are very similar as to those found in my majorgeeks.com post of 01-02-06, 22:13.

I reran Spybot after fixing these problems and Spybot did not find any more problems.

5. HiJack This Log
I attached a fresh HiJack This Log

 

First, let me say if your going to use "Outpost Firewall" you need to get rid of NIS because more than one firewall will cause conflicts.

Also, shutdown MSAS then fix that entry with HJT. After you do this reboot and let me know how things are running and if any problems remain.

 

I didn't know I was using "Outpost Firewall." I went to my control panel add/remove and did not find Outpost Firewall. I want to continue using NIS. If Outpost Firewall is installed, how do I remove it? Also, if my comuter is running other programs that seem unnecessary, please let me know.

I shut down MSAS then fix the following with HJT.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

I reran HiJack This again and confirmed that it was deleted.

I rebooted and attached my latest HiJack This file.

Things seem OK, except for the Outpost Firewall problem.

 

Have HJT fix the entry below..

O20 - AppInit_DLLs: C:\Program Files\Spyware Tools\Outpost Firewall Free\wl_hook.dll

If you choose to, navigate to and delete the folder below.

C:\Program Files\Spyware Tools\Outpost Firewall Free

After you complete this, it should be gone.

 

Hi BJ,

1. I deleted the folder below as it was empty anyways.

C:\Program Files\Spyware Tools\Outpost Firewall Free

2. I had HJT delete

O20 - AppInit_DLLs: C:\Program Files\Spyware Tools\Outpost Firewall Free\wl_hook.dll

On doing so I received the following error message

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\Program Files\Spyware Tools\Outpost Firewall Free\wl_hook.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

3. I rebooted, ran HJT, and attached the scan.

 

Hi BJ,

I just opened Microsoft AntiSpyware and received two Internet Explorer URLs alert related to http://hsremove.com/done.htm, a file you asked me to remove with HJT. Here are the two alerts (note how close in time they are):

Internet Explorer URLs alert occurred on: 1/7/2006 at 8:43:48 AM. Internet Explorer URL for Start Page has been blocked from being changed from http://hsremove.com/done.htm to about:blank. This URL is in the user's blocked Internet Explorer URL list.

Internet Explorer URLs alert occurred on: 1/7/2006 at 8:44:01 AM. Internet Explorer URL for Start Page has been allowed to be changed from about:blank to http://hsremove.com/done.htm. This URL is in the user's allowed Internet Explorer URL list.

I just ran HJT and see the following in my HJT log

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Attached is my latest HJT log.

What can I do to fix this?

 

MSAS is blocking this fix on this entry. It is not a threat, its there because HSRemove was ran, which should not be ran anymore. This is one reason I dont like MSAS.

Shut down MSAS completely, fix this entry and reboot. If MSAS complains any, tell it to hush and ignore this.

 

1. Attempt to fix the problem
OK, I deleted the hsremove application and its folder from my harddrive.

I then shut down MSAS completely, fix R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm with HJT, and rebooted.

On rebooting, I ran HJT and confirmed the following was gone.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

2. Bill Gates won't let us fix the problem
I then opened MSAS and the same thing happened! MSAS first blocked my Internet Explorer URL for Start Page from being changed from http://hsremove.com/done.htm to about:blank. Then it allowed the change!

3. Some additional info that might assist you
MSAS has a Manage Blocked Internet Explorer URLs. My MSAS indicates that I have two blocked Internet Explorer URLs

about:blank
http://v4.windowsupdate.microsoft.com

4. What can we do next?
"If MSAS complains any, tell it to hush and ignore this."

I'm not sure what you mean by the above. Should we let Bill Gates win on this one or continue trying to fix R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm?




If MSAS complains any, tell it to hush and ignore this.

 

Shut down MSAS!!

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

 

Before I proceed, when you say "Shut down MSAS!!", the way I've been doing it is to right click the MSAS icon in the taskbar, select "Shutdown MSAS", and then select "Yes". Is this sufficient to shut down MSMA? TIA

 

Yeah, that should be ok.

 

I shut down MSAS, copied the contents of the Quote Box to Notepad, made a file called iefix.reg from the contents, ran iefix.reg, and selected yes to merge the file.

I rebooted and looking forward to the next step.

 

It should not come back, if MSAS comes up like it's been doing just allow it to make the change.

 

An update

I just opened MSAS and got the following

URL Search Hooks alert occurred on: 1/7/2006 at 10:20:46 AM

An Internet Explorer URL Search Hook ({CFBFAE00-17A6-11D0-99CB-00C04FD64497}) has been added to Internet Explorer and has been automatically allowed. Microsoft AntiSpyware has determined this program to be free of known spyware.

About URL Search Hooks: A URL Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook will attempt to try to find the location you entered.

Internet Explorer URLs alert occurred on: 1/7/2006 at 10:21:08 AM

The user has decided to block the Internet Explorer Search Bar URL change from its original URL of http://www.google.com/ie to http://search.msn.com/spbasic.htm.

Internet Explorer URLs alert occurred on: 1/7/2006 at 10:21:19 AM

Internet Explorer URL for Search Bar has been allowed to be changed from http://search.msn.com/spbasic.htm to http://www.google.com/ie. This URL is in the user's allowed Internet Explorer URL list.

***** On a different note *****

I ran HJT and found the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

 

Uninstall MSAS, run the registry patch I previously posted. Check HJT, make sure its not there anymore, if it is fix it. Reboot about 3 times, check it, make sure its not there.

After you do this, then you can reinstall MSAS, personally this is one reason I would leave it uninstalled but thats up to you.

 

The good news
I uninstall MSAS and run the registry patch. HJT showed that R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm was still present. I fixed it. I then rebooted 3 times and used HJT to confirm that it was not there.

I reinstalled MSAS, rebooted, and used HJT to confirm that it was not there.

The bad news
I ran spybot S&D and found the following problems

1. Registry Cleaner, Program directory
C:\Document and Settings\Application Data\Registry Cleaner
2. Registry Cleaner, Settings
HKEY_USERS\S-1-5-21-682003330-1409082233-839522115-1004\Software\RegistryOptimizer.com

You can see this same spybot S&D problems described in my eariler posts. I fixed the problems.

Attached is my latest HJT log

 

Your logs are clean!

You should see this article on How to Protect yourself from malware!

 

Thanks for all your help! I'll next run through the procedures at How to Protect yourself from malware!

YOU GUYS ARE THE BEST!

 

Your Welcome!

Surf Safely!