Wickedly Nasty New CWS Variant !!

Discussion in 'malware problems & news' started by Stumped, Jul 27, 2004.

Thread Status:
Not open for further replies.
  1. Stumped

    Stumped Registered Member

    Jul 8, 2004
    A few days ago, my work laptop got infected by something that looks
    to be a nasty new CWS variant. The symptoms were:
    1. Not able to browse the Internet. Getting IE "Cannot display this page"
    error page. (Another laptop connected to the same point could easily
    browse any site.)
    2. Word docs opened in MSWord being displayed in a strange manner.
    Some figures missing, fonts different from original. Also, the Font select
    list in the toolbar was displayed strangely - most fonts showing up as
    blank lines, others with a gray background & with the font name shown
    in the wrong font.
    3. Opening an Excel file in MSExcel showed only a blank page.

    Not being able to browse the Net was really nasty, because I could not
    download any of the programs to detect & fix the problem. So I put the
    network cable into an Ethernet hub, and connected both my work laptop
    (the infected one) and my home laptop to the hub. Now I could download
    files onto my home (clean) machine and get them onto the infected machine
    using Windows file sharing. I installed Ad-Aware using this. Running it
    showed that I had CoolWebSearch objects, but it gave no variant name.
    Next, I downloaded & tried to run CWShredder.exe but double-clicking
    the exe file (which was in the shared network folder in the clean machine)
    on the infected machine gave the following msg in a dialog box:

    "Access to the specified device, path, or file is denied."

    This seemed to be coming from the malicious software because the text
    had wrong punctuation - the ',' (comma) after the word 'path' and before
    'or'. The same msg was displayed when I tried to run NoAdWare.exe.
    Both these programs ran with no problems on the clean machine.

    Also, I checked & found that there were the 2 "sp.html" entries in the
    registry at: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    It also had an entry for HOMEOldSP with the value set to "about:blank".
    I knew these because I had seen them earlier when I had CWS:AboutBlank,
    which I had managed to clean after browsing the forums on this site. (Thanks
    a lot for that).

    Then, I noticed that the network mapped drive broke. Could no longer see
    the clean machine from the infected machine. This thwarted any attempts
    to try other downloaded fixes. Tried to get the 2 machines to see each
    other, rebooting both a number of times but failed. Then, I ran IE on the
    infected machine & found that it worked normally - no problem browsing
    any site. Also, the problems seen earlier in MSWord & MSExcel disappeared.
    Everything seems to be working fine now, except that I still cannot get the
    2 machines to see each other, so the file sharing doesn't work. Since I had
    not ran anything successfully to get rid of the problem and since the registry
    entries still exist, I feel that the problem is still there - only lying dormant to
    strike later.

    Any help to fix this once & for all would be appreciated. I really need to fix
    this as it is my work laptop and I cannot afford to not have access to the
    files there. With a deadline coming up soon, this is the last thing I needed
    at this time (well, actually I didn't need it at all :(

    Thanks for reading & any attempts to help me..
    - Stumped
  2. Matt_Smi

    Matt_Smi Registered Member

    Jul 7, 2004
    Wow that sounds terrible, sorry but I do not have any ideas as to how you should go about fixing it. But do you have any idea how you got infected with it? Was it something you downloaded from a P2P network, or was it just something you got from an adult website?
  3. Artras

    Artras Registered Member

    Jul 18, 2004
    The Netherlands
    Just some things that came up in my mind. This doesn't sound like CW to me, but much worse. Anyway, most important is to get everyhting going again. (btw, ever heard of backup?)

    Create a bootable cd on the clean system and put the applications on it that I mention at my webpage (see the link in my signature) Also get the Avast Bart cd and use those two to clean the infected system.

    Good luck.
  4. Bubba

    Bubba Updates Team

    Apr 15, 2002
    Hey Stumped,

    Since Wilders no longer offers analysis and cleaning service....I suggest you consider visiting one of the better known Browser HighJack help Forums.

    This site---> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! and be sure to check their

    **Before You Post, Read-Follow These Rules and Guidelines **

    For a list of other security sites that perform these types of hijack & spyware cleaning services check the below link out.

    This link---> http://a-sap.org/

    Also....concerning NoAdware....it's considered "questionable, or dubious value as anti-spyware protection." Check out the below link for a better explanation.

    This link---> Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Stumped

    Stumped Registered Member

    Jul 8, 2004
    Thanks to all those who replied. To answer some of the questions, this is
    something I got from some adult website. (Embarrassed to admit that I had
    been visiting many. Got what I deserved. Never again will I do that. :oops:

    Also, cannot read a CD on the infected machine. The CD-ROM drive is not
    accessible due to some registry entry being corrupted. This was so ever
    since I got the system. Nothing to do with the virus. Which means I don't
    have back-up & sounds like I'm really screwed.

    Some news from this morning. I'm back to not being able to browse any
    website. Trying google.com shows IE trying to open some numeric IP in
    the status bar, and no page loads for a long time. msn.com gave the "Page
    not found" after a long time of waiting. I noticed that the light on the hub
    connection was blinking throughout. Checked the connection status and
    found that number of bytes sent was ~800,000-something while number
    of bytes received was in the thousands. Suspect the nasty chap had been
    sending some data somewhere, so I just pulled the network cord.

    Anyway, I'm gonna take it to some cleaning service - Fry's, CompUSA etc.
    My supervisor said I could do that rather than waste my time. (Don't tell
    him how I got infected :p

    Thanks again...
    - Stumped
  6. Matt_Smi

    Matt_Smi Registered Member

    Jul 7, 2004
    Don’t be embarrassed, we all learn the hard way that adult sites are bad news. After getting a browser Hijack and a few viruses/Trojans from them that resulted in me re-installing windows I will never go on them again, it’s not worth the risk! I don’t know how much a computer store is going to be able to do with it. If you have a lot of important data and you can’t back up your data to a CD, maybe you should consider purchasing an external hard drive and saving everything important to that, then re-installing windows.
  7. X-ray Specs

    X-ray Specs Guest

  8. Stumped

    Stumped Registered Member

    Jul 8, 2004

    Anyway, backing up to an external hard drive and re-installing Windows
    seems to be the best way, though tedious, if Fry's can't do it.

    - Stumped
  9. Matt_Smi

    Matt_Smi Registered Member

    Jul 7, 2004
    Firefox is an internet browser http://www.mozilla.org/products/firefox/ it is much more secure than IE, and if you use it I believe that you are immune to browser hijackers, as they install though an exploit in IE that is not present in Firefox. It also has some nice features that IE does not such as tabbed browsing and a built in pop up blocker. I have been using it ever since I got hijacked a little while back.
  10. backfolder

    backfolder Registered Member

    May 25, 2004
    Maybe restoring your system to a previous 'restore point' could help you in some way. Other way is to find any good Bart´s PE CD, and choose in your BIOS settings 1st Boot device: CDROM (2nd.:Floppy, 3rd.: HD0) to proper bootup.

    Another way is to do a Hijackthis! log and post in the right forum, I´m sure someone help you. The thing of sp.html sounds me familiar. Save the hijackthis log and send to my mail here, my brother had a similar "sp.html" file problem but not that "poltergeist" consequences. Try to look for a non-system .dll into windows /System/ or /System32/ folders, HJT can show you what is.

    Other way is to scan your system/suspicious dll on line, I´ll give you three links now:

    Global System Scan:
    - http://www.ravantivirus.com/scan/
    - http://housecall.trendmicro.com/

    Only One File Scan:
    - http://www.kaspersky.com/scanforvirus

    Hope this help you.
Thread Status:
Not open for further replies.