Manual fix--CWS sp.html#XXXXX variant

[groovicus]

Understanding and Removal.

**********


Due to the CWS sp.html#XXXXX variant mutating so frequently, many are confused about the proper method for removal when tools don't work, or there are unexpected results. RubberDucky's About:Buster is a huge help, but unfortunately for us, as soon as he gets it working, another variant shuts it down. When that happens, many users go unhelped. That is unfortunate, because the infection is not that difficult to remove manually.

What follows is a fix I have been using. This particular variation of the fix is from Grinler at Bleeping computer. I have seen a few other variations around, so it is hard to know who to credit it to. The comments are mine, along with a probably over simplistic explanation of what this infection does.

SYMPTOMS:
User gets redirected to random pages ending in #xxxxxxxx. In a log, it looks like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lsjij.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lsjij.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lsjij.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lsjij.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lsjij.dll/index.html#37794

For those who are not familiar with this variant, once the user is infected, a multitude of files are written in the system folder, the system32 folders, and the registry, and a service that starts the infection is created, thus making it harder to kill. A somewhat recent discovery is that it also uses Alternate Data Streams to keep reinfecting. I'll show examples of what to look for.

The first step is figuring out which service is associated with the infection. So the first part of the fix:

************************************************************************************

The first thing I need you to do is download the file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.

********************************************************************************

CWS usually uses 3 services:
Workstation NetLogon Service
Network Security Service
Remote Procedure Call (RPC) Helper

I have seen it attached to random services though, but those three are the most common.

This is what it looks like:

SERVICE_NAME: ½O.#ž‚„õØ´â
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\WINDOWS\mshf32.exe" /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Workstation NetLogon Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

The gibberish in the service name makes it stick out like a sore thumb.

*****When trying to find the service , search for the phrase (null) ..it will save on your eyeballs, and will probably be the third or fourth service listed. Sometimes it is listed as the very last service.

In addition, if the user gives you a services log that contains a line like this:
Error querying status of O?’ŽrtñåȲ$Ó on \\C:
That means the user ran About:Buster, and the service didn't get removed. Have the user reboot and give you a new services log, and it should show up properly.

*******************************************************************************

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called <insert DISPLAY_NAME from log of getservice.bat>. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

*******************************************************************************

In the next steps, the running processes are stopped and files are deleted, and this is where you need to be a little careful. The .exe's appear as random 4-7letter names, sometimes ending in 32, and can be in both the System and System32 folders.

Examples:
C:\WINDOWS\System32\smnbzcuw.exe
C:\WINDOWS\system32\atlbf.exe
C:\WINDOWS\system32\crgw32.exe

After you have done enough logs, they become pretty easy to see. Also, sometimes there is only one in the running processes.

********************************************************************************

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

<insert 1st process from process list>
<insert 2nd process from process list>

********************************************************************************

Now we need to delete the files. In this step it is essential to pay attention to what is happening. You need to see if ADS is being used.

If the file looks like this:
C:\WINDOWS\EXPLORER.EXE:cfmnf /s
Then DO NOT mark it for deletion. Notice the EXPLORER.EXE:cfmnf . This indicates ADS. Notice the file it is attached to...explorer.exe. We definately don't want to delete that. In that case, skip that part of the step.

The BHO is from the 02 entry, and it will have a random name also.
O2 - BHO: (no name) - {05DA21C0-E89B-F673-539B-7408A5D9D6BF} - C:\WINDOWS\system32\ipkh.dll

Just to emphasize, if the file in question is followed by a colon and random name, Do not mark it for deletion

********************************************************************************

Step 3:
I now need you to delete the following files:

<insert first filename from process list>
<insert second filename from process list>
The file from the services above.
<insert DLL from R1/RO entries>
<insert DLL from BHO>
<insert any other O4 entries not listed already>

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

***********************************************************************************

The rest of this is pretty self explanatory.

**********************************************************************************

Step 4:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:
<insert all the RO/R1,O2, and O4 lines>

Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<insert SERVICE_NAME from getservice.bat>

If <insert SERVICE_NAME from getservice.bat> exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<insert SERVICE_NAME from getservice.bat>

If LEGACY_<insert SERVICE_NAME from getservice.bat> exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

*******************************************************************************

This is the part where About:Buster shines. For every .exe file, there is a duplicate .dll or .dat file that needs to be removed. Also, those ADS files need to be removed, and A:B does that also. The reference file is updated frequently, so it is necessary to verify that the user has the latest reference files.

*******************************************************************************

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:

• Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  
  
  
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
  
  
  
• If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
  
  

Step 9:

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a last log

[color=darkblue]
*******************************************************************************

Merijn's site is frequently tough to get to. Encourage the user to keep trying until they get the files replaced that they need. Sometimes it is easier to uninstall Spybot and install a fresh version.

If this fix doesn't work, it is almost always for one of three reasons.
1. The user opened IE to follow the directions instead of printing out the thread.
2. The user rebooted his system between posting the log and applying your fixes. The malware mutates on every reboot, and the files change names..if they complain about not finding a bunch of the files, this is probably the problem.
3. They have some type of protection software blocking the fixes. Norton System Works always gives me fits, because users can't figure out how to shut it down.

Windows ME doesn't use the service in this way, so just follow the rest of the steps for removal and deletion.

**************************************************

Cheers!!