Arcade File Downloads UsenetGeeks
Email
Confirm email
Articles Spyware Removal File Help Startup DB Tips Service DB News Hijack This! Analyzer

 

CoolWebSearch.StartPage
NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Overview:
CoolWebSearch.StartPage is one of the MANY CWS variants. This browser hijacker will modify your trusted and safe sites list to allow other threats to be installed on your system without your permission. Luckily CWShredder is around to automate the removal of this bugger because it can be a pain to do on your own! There are quite a few BHO's and toolbars installed by this bugger.

CWShredder 2.0 http://www.iamnotageek.com/files/CWSInstall.exe

Also Known As:
CWS.StartPage
Win32.Startpage

End Processes (may or may not exist):
download_plugin.exe
winttr.exe
winmm64.exe

This bug seems to produce random .exe names in several places so you will want to look for any bizarre looking names and end them.

Unregister DLLs:
Tip: this is only a list of known files/locations. You will want to do a search by the name of the file to see if they're on your system.
A while back I wrote a guide to Register/remove DLL or AX files which you will need if you don't know how to unregister these files.

Each file is in several locations so you'll need to search for them and unregister + delete them in every location you find.

appfy32.dll
madopew.dll
rundlg32.dll

Clean your Registry:

Remove all of the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.StartBHO.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.StartBHO
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page_bak
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Bar_bak
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page_bak
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\rundlg32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks {30192F8D-0958-44E6-B54D-331FD39AC959}
HKEY_CLASSES_ROOT\clsid\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKEY_CLASSES_ROOT\clsid\{30192F8D-0958-44E6-B54D-331FD39AC959}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar {30192F8D-0958-44E6-B54D-331FD39AC959}
HKEY_CLASSES_ROOT\clsid\{05FEBAB2-D516-488F-B5C2-4F42D0FA11E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05FEBAB2-D516-488F-B5C2-4F42D0FA11E4}
HKEY_CLASSES_ROOT\clsid\{5767D4C3-FB44-11D8-903D-4445A044ABC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5767D4C3-FB44-11D8-903D-4445A044ABC0}
HKEY_CLASSES_ROOT\clsid\{77BD798E-9532-4907-A833-002F8EE282C2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77BD798E-9532-4907-A833-002F8EE282C2}
HKEY_CLASSES_ROOT\clsid\{A13EC44D-9B29-46BF-9000-16D06FD0873C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A13EC44D-9B29-46BF-9000-16D06FD0873C}
HKEY_CLASSES_ROOT\clsid\{BBF51F79-0354-417B-9D18-224FCDE48956}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBF51F79-0354-417B-9D18-224FCDE48956}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA9CFF7A-C934-B52F-1677-94D40620341A}
HKEY_CLASSES_ROOT\clsid\{5259ECDA-AB50-69E2-24C7-E144CB3DE3D4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5259ECDA-AB50-69E2-24C7-E144CB3DE3D4}
HKEY_CLASSES_ROOT\clsid\{5A15DDB6-655D-F522-E714-789A91C4560A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A15DDB6-655D-F522-E714-789A91C4560A}
HKEY_CLASSES_ROOT\clsid\{72DC00BA-F422-1004-2D97-489E592AF6B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72DC00BA-F422-1004-2D97-489E592AF6B1}
HKEY_CLASSES_ROOT\clsid\{764BFB10-C941-55AC-2ABA-932066A3B6EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{764BFB10-C941-55AC-2ABA-932066A3B6EF}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\rundlg32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rundlg32.dll

You should be back to normal IF this was your only problem. I suggest you post in our HJT forum since its not likely that this is your only bug. Read this first

Views: 12566
Printer Friendly

Article Index:
Talk About it! -->
Copyright 2005 I Am Not A Geek Inc.