CWS.Homesearch

1. PC is a Dell with Windows XP SP2, 512 MB RAM, Pentium®4 CPU 2.53 GHZ, Hard Disk 55.84 GB.

2. BT Yahoo anti spy identifies the CWS.Homesearch highjacker located at Hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f*00df*ooe4*ooo6#*oob7*ooba*ooc4*ood6'i. Unfortunately it cannot fix this.

3. I have followed ‘Read and run me first’ and run all of the scans including those referred to in section 8. However, could not get on line in safe mode to run BitDefender, Trend Micro and TrojanScan so ran them in normal mode. In addition I have run AboutBuster. None of these scans identified this virus. RavAntivirus (run just before it became unavailable) found three viruses and deleted two. One apparently remained in Windows Update Log. Microsoft Anti Spyware found 6 viruses, including CoolWebSearch.Start Page, which were all deleted. However, CoolWebSearch.Start Page reappeared after I had re-run several more clear scans.

4. I have had numerous warnings of IE browser settings being changed and I think I have been able to pre-empt some of these. Strangely, I have not noticed any actual problems when using my BT Yahoo browser but I believe that this may not mean that nothing illicit is taking place.

5. I attach my HJT log. I would appreciate any advice you can give me to remove this highjacker. Is it possible or wise to delete the infected registry entry?

Many thanks.

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Thanks for your response. If I have made an error in my original post please forgive me as I haven't done this before. So far as I can tell I have already followed all of the steps referred to in your reply. Have I omitted to do something? If so, can you please let me know what else I should do? I appreciate the help.

 

If you have completed all of the steps in the READ ME including the online scans then see the thread below and attach a current HJT log from normal mode.

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

My HJT log file, in normal mode, is attached to my original post.

 

It doesnt appear you have ran the online scans listed in the READ ME, please go back and run each step in the READ ME including the online scans then atatch a fresh HJT log.

 

With respect, in item 3 of my original post I confirm that I have run the on-line scans. As therein noted, I had to run these in normal mode as I could not get on-line in safe mode. To confirm again, I have followed all of the required steps in 'Read me' before submitting my help request.

 

Attach a current HJT log from normal mode.

 

Current HJT log attached as requested.

 

First, please disable Spybot's TeaTimer so it will not block anything we try to fix! How To Disable TeaTimer

Next, please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {F9DB070D-5394-0723-F5DA-646C713E9FE2} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above REBOOT, scan with HijackThis and attach the new log.

 

Followed each step of your advice as directed. Spybot did not find anything and Ad-Aware only found 2 MRU's. I also ran these and Ccleaner in both normal and safe mode in case that would be helpful. New HJT log in normal mode attached. After following the procedure you specified, I finally ran BT/Yahoo anti spy. It still identified the presence of CWS.Homesearch at the registry location noted in my first post.

 

Further to my last post, each time I reboot my PC I get various messages pop up at the bottom right of my screen telling me that 'Resident has allowed [a change] based on my white list' . I don't know what the white list is but I note that the items referred to include a couple of spyware scanners which I disabled from auto start up (boot up had become very slow) in Spybot S&D when I disabled its teatimer. In addtion, one of the items referred to is the 'Kernel fault check' (code 04) which you asked me to delete in HJT. This item reappeared in a subsequent HJT scan but after fixing and telling Spybot S&D to remember the change it has not appeared in subsequent scans. Also when running HJT again I find that the two DPF (code 16) items which had been fixed by HJT have returned. I have tried fixing them again in HJT but they return when I reboot the PC. I attach a copy of the latest HJT log with the two offending code 16 items.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Spybot

Now, please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O2 - BHO: (no name) - {F9DB070D-5394-0723-F5DA-646C713E9FE2} - (no file)

O4 - Global Startup: BT Yahoo! Help.lnk.disabled

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Followed your advice and attach a new HJT log (normal mode as requested). The items deleted in HJT no longer appear to be recurring on rebooting. I removed Spybot as requested but I notice that in the HJT log, code 04 includes an entry for the Spybot Teatimer. I have searched my PC for all and any Spybot\TeaTimer files and deleted them. I cannot find the file identiifed here. I don't know if it makes a difference or if I should have had HJT fix this particular entry as well.

Unfortunately, I also ran BT Yahoo Anti Spy and it still finds CWS.Homesearch at the location previously reported.

I appreciate all of your help.

 

Scan with HijackThis and Check the Boxes for the following:

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


After you complete the above, reboot and let me know exactly what is being detected by the Yahoo program.

 

Followed the steps as indicated. I then ran BT Yahoo Anti Spy which indicates the continued prescence of the item as follows:
(Name) CWS.Homesearch, (Objects) 1, (Category) Highjacker, (Type) Key, (Object Location) hkey_local_machine\system\currentcontrolset\enum\root\legacy_11f*00df*00e4*0006#*00b7*00ba*00c4*00d6'i

When attempting to 'remove' the item, a window indicates that the item 'cannot be restored if removed' and after pressing 'delete' a further window indicates that the item 'could not be completely deleted from the system'.

I hope that this is some help.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixhsa.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixhsa.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know how things are running.

 

Thank you for your response. I followed your instructions and my PC seems to be running just fine. I subsequently ran BT Yahoo Anti Spy and it still indicates CWS.Homesearch as being present.

 

Did it detect the same key? What does Yahoo do when you try to fix it?

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Right click on ROOT and click EXPORT. ZIP this file and attach it to your next post.

 

Sorry for not being totally clear. Yahoo detects the same key as before and provides the same responses as noted in my post of 16 November when I ask it to remove the item.

I attach a zip file with the registry details as requested.

Many thanks.

 

Before you start this, uninstall Microsoft AntiSpyware. Also you must disable Norton and Yahoo Antispy. Then procede with this fix...

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and see if Yahoo still detects it.

 

Thanks. Followed your instructions. Uninstalled Microsoft AntiSpyware and disabled Norton. Yahoo only runs on command and does not run in the background - I took no action with this as there is no function to disable it. Should I have uninstalled it first and then re-installed after fixing the registry entry? Subject to this, after completing the required steps, I rebooted and ran Yahoo. The highjacker was still detected at the same location and Yahoo gave the same response as before when attempting and failing to remove it.

 

Run post # 19 again and attach the zip file along with a current HJT log.

 

Attached are the zip file with the registry details and the latest HJT log file, as requested. Thanks.

 

Make sure you disable Yahoo Antispy and Norton before running this registry fix.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix2.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix2.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and see if Yahoo Antispy still detects this.

 

Regrettably, Yahoo AntiSpy still detects this highjacker - all responses as before. I'm really sorry about this.

 

Let's try a manually edit, click start run and type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Now locate the key below:

LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I

Once located, right click and delete it. Doing this should remove this key! Reboot and make sure!

 

Attempted to manually delete the key as directed but could not do this. When I click on delete I get a window informing me that 'Cannot delete Legacy...etc: Error while deleting key'.

Sorry for the delay in responding to your last post but I did not get the usual e-mail notice to advise me of the post - not a criticism, just an explanation.

Thanks again.

 

Do this, lets take control of that key.

Click Start > Run > type in regedit

Right click on HKEY_LOCAL_MACHINE and select PERMISSIONS.

Under "Group or user names" locate EVERYONE and at the bottom make sure the box next to FULL CONTROL is checked. If it is not check it and click OK. It may freeze but this is normal, just wait on it.

After you complete the above, try to delete the key again. If it still doesnt delete reboot into Safe Mode and try again.

 

Congratulations. You've cracked it. The key has been deleted. I ran Yahoo again and this time it found nothing. Everything else seems to be working fine. Thank you for your help and patience. I am very grateful and I have learnt a few things as well. Can I now reload Spybot and would you also advise that I also reload Microsoft AntiSpy as well?

Once again, many thanks for your help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!