Manual fix--CWS sp.html#XXXXX variant

[groovicus]

Understanding and Removal.

**********


Due to the CWS sp.html#XXXXX variant mutating so frequently, many are confused about the proper method for removal when tools don't work, or there are unexpected results. RubberDucky's About:Buster is a huge help, but unfortunately for us, as soon as he gets it working, another variant shuts it down. When that happens, many users go unhelped. That is unfortunate, because the infection is not that difficult to remove manually.

What follows is a fix I have been using. This particular variation of the fix is from Grinler at Bleeping computer. I have seen a few other variations around, so it is hard to know who to credit it to. The comments are mine, along with a probably over simplistic explanation of what this infection does.

SYMPTOMS:
User gets redirected to random pages ending in #xxxxxxxx. In a log, it looks like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lsjij.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lsjij.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lsjij.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lsjij.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lsjij.dll/index.html#37794

For those who are not familiar with this variant, once the user is infected, a multitude of files are written in the system folder, the system32 folders, and the registry, and a service that starts the infection is created, thus making it harder to kill. A somewhat recent discovery is that it also uses Alternate Data Streams to keep reinfecting. I'll show examples of what to look for.

The first step is figuring out which service is associated with the infection. So the first part of the fix:

************************************************************************************

The first thing I need you to do is download the file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.

********************************************************************************

CWS usually uses 3 services:
Workstation NetLogon Service
Network Security Service
Remote Procedure Call (RPC) Helper

I have seen it attached to random services though, but those three are the most common.

This is what it looks like:

SERVICE_NAME: ½O.#ž‚„õØ´â
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\WINDOWS\mshf32.exe" /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Workstation NetLogon Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

The gibberish in the service name makes it stick out like a sore thumb.

*****When trying to find the service , search for the phrase (null) ..it will save on your eyeballs, and will probably be the third or fourth service listed. Sometimes it is listed as the very last service.

In addition, if the user gives you a services log that contains a line like this:
Error querying status of O?’ŽrtñåȲ$Ó on \\C:
That means the user ran About:Buster, and the service didn't get removed. Have the user reboot and give you a new services log, and it should show up properly.

*******************************************************************************

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called <insert DISPLAY_NAME from log of getservice.bat>. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

*******************************************************************************

In the next steps, the running processes are stopped and files are deleted, and this is where you need to be a little careful. The .exe's appear as random 4-7letter names, sometimes ending in 32, and can be in both the System and System32 folders.

Examples:
C:\WINDOWS\System32\smnbzcuw.exe
C:\WINDOWS\system32\atlbf.exe
C:\WINDOWS\system32\crgw32.exe

After you have done enough logs, they become pretty easy to see. Also, sometimes there is only one in the running processes.

********************************************************************************

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

<insert 1st process from process list>
<insert 2nd process from process list>

********************************************************************************

Now we need to delete the files. In this step it is essential to pay attention to what is happening. You need to see if ADS is being used.

If the file looks like this:
C:\WINDOWS\EXPLORER.EXE:cfmnf /s
Then DO NOT mark it for deletion. Notice the EXPLORER.EXE:cfmnf . This indicates ADS. Notice the file it is attached to...explorer.exe. We definately don't want to delete that. In that case, skip that part of the step.

The BHO is from the 02 entry, and it will have a random name also.
O2 - BHO: (no name) - {05DA21C0-E89B-F673-539B-7408A5D9D6BF} - C:\WINDOWS\system32\ipkh.dll

Just to emphasize, if the file in question is followed by a colon and random name, Do not mark it for deletion

********************************************************************************

Step 3:
I now need you to delete the following files:

<insert first filename from process list>
<insert second filename from process list>
The file from the services above.
<insert DLL from R1/RO entries>
<insert DLL from BHO>
<insert any other O4 entries not listed already>

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

***********************************************************************************

The rest of this is pretty self explanatory.

**********************************************************************************

Step 4:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:
<insert all the RO/R1,O2, and O4 lines>

Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<insert SERVICE_NAME from getservice.bat>

If <insert SERVICE_NAME from getservice.bat> exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<insert SERVICE_NAME from getservice.bat>

If LEGACY_<insert SERVICE_NAME from getservice.bat> exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

*******************************************************************************

This is the part where About:Buster shines. For every .exe file, there is a duplicate .dll or .dat file that needs to be removed. Also, those ADS files need to be removed, and A:B does that also. The reference file is updated frequently, so it is necessary to verify that the user has the latest reference files.

*******************************************************************************

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:

• Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  
  
  
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  
  
  
• If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  
  

Step 9:

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a last log

[color=darkblue]
*******************************************************************************

Merijn's site is frequently tough to get to. Encourage the user to keep trying until they get the files replaced that they need. Sometimes it is easier to uninstall Spybot and install a fresh version.

If this fix doesn't work, it is almost always for one of three reasons.
1. The user opened IE to follow the directions instead of printing out the thread.
2. The user rebooted his system between posting the log and applying your fixes. The malware mutates on every reboot, and the files change names..if they complain about not finding a bunch of the files, this is probably the problem.
3. They have some type of protection software blocking the fixes. Norton System Works always gives me fits, because users can't figure out how to shut it down.

Windows ME doesn't use the service in this way, so just follow the rest of the steps for removal and deletion.

**************************************************

Cheers!!

[The Grunt]

Nice post! This is hitting the bookmarks! I may need this on some idiots computer sometime soon...

[Tedob1]

thanks groove! its posts like this that make a hero out of me when i run accross this problem.

do you know off hand any sites in particular that have this crap on them. the more ordinary the better. id like to mail the links to my reps in a letter of protest.

[groovicus]

I wish I did Tedob. The people that I help are usually tight lipped when I try to find out where they have been, so I have to guess the usual warez and porno sites.

Next time I run across one, I'll see if I can get a user to match up a time of infection with their browsing history.

I do have an installer for this though if you would like to play with it. It doesn't give alternate data streams though. I'm still trying to get ahold of one of those.

[Und3ertak3r]

groovicus,

Thanks for the excellent post, your efforts here are appreciated.

Are you encountering many of these infections? And are you noticing a decline in the older CWS infections..

Interesting how things change.. 12 months ago.. If some one had a Adware problem the advice was d/l spybot or Adaware.. Now it is a marathon of restarts, safe mode, scan progs.. removal is now out of the hands of the novice.
as well we would only need to disable a couple of services , throw in the Google toolbar, or a good commercial Popup blocker.. now it is as above.. but scrap IE and advise the client to use Mozilla Firefox or Opera Browsers, and a registry protection prog (more than one confuses the average joe)

again.. Thanks Groovicus good effort..


Cheers

[groovicus]

There is a definate decline in the older types of CWS, but they are still out there. This particular CWS infection I deal with anywhere between 5-15 times a day..it is very much prevalent, and not very many understand how it works enough that they are able to remove it.

The only other infection that comes close is another CWS infection that looks like this:

[qote]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pjoba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank [/quote]

Unfortunately CWS Shredder drives these infections deeper.

It's been interesting to see the evolution of malware over just the past few months. They act more and more like viruses/trojans/worms every day. The LOP infection "phones home" to update itself, some malware runs as a service, some shut down protection software, and some attach themselves to critical windows files. The version of CWS mentioned above also resets ActiceX settings to allow all ActiveX controls.

I agree, it used to be Spybot and Adaware, and a good trojan scanner would do it. Now it is countless scans, removals, and reboots...and I really don't think that ServicePack2 is going to do much to stop it.

removal is now out of the hands of the novice.
as well

Exactly. It's out of the hands of most professionals too.

Cheers!!

[jinxy]

Groovicus,
How are third party apps like spyware blaster doing in preventing infection?? are they keeping pace with the development of this crap?

[foxyloxley]

because the infection is not that difficult to remove manually.

Well I MUST be reading the wrong thread, because it took a lot of reading to get to here, and I'm STILL not sure that I'd get it all out.

removal is now out of the hands of the novice

It's out of the hands of most professionals too

Maybe it's not JUST me then...........

[groovicus]

SpywareBlaster works great...if they had it installed beforehand. Adaware will detect the newer variants, but can't do anything about it yet. CWS shuts down Spybot. As Undertaker mentioned, some kind of registry monitor is pretty much mandatory.

There are all kinds of new anti-spyware tools hitting the market daily. One of the nicer ones I was fortunate enough to test is from Prevx.com. It is an application that monitors the registry, all critical windows files, locks down IE, and Microsoft Works applications. Couple that with a firewall and an AV, and a typical home user will be in good shape.

It mostly comes down to having a few simple protections in place to begin with. ActiveX should be disabled (IMHO) by default. It's once it gets in that it sucks. Home users have to take on an almost corporate approach to security by providing themselves layers of protection.

The poor common computer user doesn't stand a chance. They think they Norton is going to keep them safe. I know that on my system, if my AV is popping off, I'm probably already screwed because it got past my other defenses.

People talk about viruses and such causing so many dollars worth of damage, I'd really like to see figures on expenses due to removal and lost time from crap like CWS.

The good side of all of it, if there is a good side, is that more and more people are getting so fed up with it, that they are setting aside their feelings of intimidation, and trying to take their computers back. So they register at different forums and ask for help. I have tons of admiration for that, and I will do what I can to help them learn to be comfortable with their systems, and how to protect themselves.

Does that answer your question in a round-about way?

[jinxy]

Does that answer your question in a round-about way

Yes

And i do not think you answered in a roundabout way.

I do understand the reticents from victims to tell where they got infected though. I have one friend who asked me to have a look at his laptop. He did a complete format and install befor he let me have his box. Doh.

Still he paid me for updating it and giving him some protection.