About:Blank, CWS Hidden.dll, Startpage.16.M, se.dll

[rik]

Let me start by saying that like so many other people I have been fighting to remove this crapware from a system that I have been working on for a friend. It's a Windows 98 box that I have worked on for a couple of weeks now and thought I had this whipped but now I've spent most of the day attempting to remove a foe that I knew little about.

After some indepth research I have found that this is one of the most prevelant and stubborn pieces of malware I have ever faced, and I'm still not sure that I have beaten it. I have installed almost all of the most popular and highly recommended Spyware removal/preventative apps that this and most sites have suggested.
AVG antivirus finds the Startpage.16.M and says that it removes the culprit but doesn't. CW Shredder finds and removes CWS Hidden.dll but it comes back. The SpyBot Tea Timer is running in the back ground, yet when About:Blank shows that it is trying to be set as the new Home Page and you Deny that change, it doesn't seem to work.
Obviously this is some kind of a blended threat that one or possibly many apps cannot protect against.
The list of apps I have used is as follows: Ad-Aware SE, SpyBot, SpySubtracter, KillBox, CWS Shredder, HiJack This, and About:Buster.
Now again this is an ongoing battle as I have indicated. It appears that I have won at this point but I enjoy this victory with guarded suspicion.
Anyway in my search I have found some great articles on Browser Hijacking and Preventative measures that can be taken. These come from WWW.SPYWAREINFO.COM and are written by Mike Healan. http://www.spywareinfo.com/articles/hijacked/#removal and http://www.spywareinfo.com/articles/...ed/prevent.php are links to great articles and maybe these links can be added to our own Removal Thread in an effort to educate our users and help those that find themselves in the same position that I'm in. Also here is the The CLSID / BHO List / Toolbar Master List from another great board that I frequent, CastleCops, http://computercops.biz/CLSID.html that can help in identifying different Browser Helper Objects, and Internet Explorer Toolbars.

As I said I think that I may have won with the help of all these different apps, boards suggestions, and some determination but we shall see.

More to follow...

[FastGame]

I'm glad you posted this, I just got a PC in today that is so infested, I think it has every spyware/trojan that's in the wild

They have the HP recovery CD but I'm going to take on the challenge of cleaning it first

[Curio]

One of the problems is that if the clsid remains in the registry and you visit a page that calls that clsid it will re-install with no user notification or interaction required. HijackThis is the top tool for all this stuff along with killbox and some brain power.
Other very useful resources can be located at

www.subratam.org
www.hijackthis.de (Log parser - good forums)
www.iamnotageek.com (now has a HJT log parser too - woohoo!)
www.spywareguide.com (online spyware cleaner - X-Cleaner really is excellent)

there are new spyware variants coming out regularly but not as often as 6 months ago - perhaps they are running out of ideas? The worst ones tend to have multiple points of startup and to use random filenames which can change on reboot. Along with this two or more processes may watch each other and restart any constituent killed process automatically - for these you need a dummy benign executable to replace the process executables. I made one which also rewrites the .exe .bat .com .cmd etc... default actions back to %1 %* whenever it is called.

[rik]

Ok, I'm still on the trail of this @&$%#@ware. It's been a very long day, but it seems like I've made some progress. I wanted to keep posting links to some of the info that I have found in case anyone might find it useful. Obviously Google is the first tool in my box, but not everything found has helped. Due to the nature of this beast it "morphs" itself. Filenames change, installed locations and Registry entries also change, so 1 persons fix may not be the next persons fix.
Anyway, here is the next info link that has helped. http://www.scanspyware.net/info/180SearchAssistant.htm
Again, all entries were not in this computer, so hopefully I am still on the right road. Good Luck to you in your quest...

[Dehcbad25]

I had some that were difficult to get out on every computer that I got lately, but most were because of password protected accounts (removing the password fixed it [almost])
As I mentioned, running from a live CD got the most persistent out of the system. Hijac this also is a must. MS antispyware was usefull also, but I don't know if it runs on W98 (I doubt it)
Best solution, install Linux J/K
Did you use msconfig to check what is starting up?
Check host files (hijack this should be able to look them up) and the redirections for the search and blank pages. I haven't clean a W98 machine for a long time (about 6 months) so I can't remember all that I did

[rik]

The MS AntiSpyware doesn't work on Win 98, although I didn't realize this until I d/l it and tried to use it. Another oddity was the complete lack of a host file. Dunno if that's normal for 98 or not. Also MSCONFIG was the first place I looked but Thanks Dave. The really time consuming part was going thru the registry. This weekend alone I probably spent 10 hours on this machine. For a Friend...Now I have another one being shipped to me from a relative.

[FastGame]

Quote:

The really time consuming part was going thru the registry. This weekend alone I probably spent 10 hours on this machine.

Thats about what I went through with the PC that I got the other day. Next time they're getting a format & reinstall

[cash_site]

It doesnt sound good, these blended threat models are a HUGE pain to get rid off... the worse ones are starting to use old Mainframe coding techniques for DLL injection... that way they can morph and attach to any valid process and re-spawn the malware

Unless, it is impossible to back up data, a reformat is the best solution... It might take 1 - 2 days to format and install all apps, but better than 2 weeks of hair-pulling over stupid morphing HiJacking piece of crapware!!

[Curio]

Some of the new variants are real buggers which require some specialist treatment - did a VX2 variant today which is one of them. Luckily some kind and knowledgable souls have written some great tools to aid in their removal vx2finder being one of them. Although I got rid of everything I could I still got a message on boot about some dll error which ended in the words 'random.dll, UMonitor'. FindVX2.bat located some lovely dlls for me which I removed with killbox and my own dummy file (about 10-14 dlls in all). Once you get the methods right it doesn't take that long - about an hour.
At the moment my method is
1. HJT first time
2. HJT second time using dummy files to replace those which HJT first time didn't cure (swapped out via pocket killbox).
3. If there are nasty ones goto VX2Finder, AboutBuster, regedit to alter permissions on some registry keys (which reminds me this one set a few registry key permissions so that HJT, BHODemon etc could not remove them), Autoruns, Process Explorer, BHODemon, WinsockFix and Internet Controller.
4. The usual stuff (SpyBot, Adaware, MSAntiSpyware, X-Cleaner).
Real problems if there are lots of user profiles - you got to do it in each one!!

[rik]

Curio you seem to be up on most of this so the info you give I am trusting as gold. Not sure I'm clear on point #2 where you use dummy files. What do you mean?

BTW if you write batch files or Reg files that are capable of helping remove or stifle these different threats I'll bet they can be posted here...on a "Use at Your own Risk" basis of course.

[Fenalaar]

About blank registers a text/plain filter for explorer that will reinstall the crap.

Look for it in the registry....

I had to tear that one out of my brothers PC - this shit is close to making a regular PC, without a lot of third-party stuff (adware killers, Firefox &c), close to useless...

Johan-Kr

[FastGame]

Quote:

Curio you seem to be up on most of this so the info you give I am trusting as gold.

I agree, you make some real nice post

[rik]

Followup:

Well I thought I had it whipped....I had the system up and running at my house, all seemed great. None of the detection and cleaning apps found any indications of an infection. AVG no longer finds any Trojans, no longer getting any "weird" files being created in Windows\temp. I even put it on the internet and tooled around a bit to make sure it was working. Then I took it back to my friend...
I had installed everything I could to block hi-jack attempts and malware from getting on the system.

Today I get a message that it is back to it's old ways...browser's been hi-jacked, can't get into email, popups out the ying yang. Obviously it's something specific to what She is doing or clicking on but I can't figure out what.

It's getting reinstalled next...

[cash_site]

Rik, is she on a home lan with other comps? or direct connection to internet via modem and bypassing router??

By the sounds of it there might be another computer within her lan that bypasses the firewall and infects her.

Also, have you turned off system restore and then did virus scan??

[rik]

@CS - The is a Windows 98 box, no network, on a dialup internet connection. Nothing else I can blame 'cept the "nut behind the wheel".