Home Search Assistant / CWS_NS3 Removal / BackDoor-BDD Guide

Table of Contents:

1. Introduction
2. Preparation Steps
3. Begin Log Analysis Stage
4. Begin Removal Procedure
5. Final Comments

Introduction:

There is a new CoolWebSearch browser hijacker infection that has become very common lately. Symptoms of this infection include your computer becoming slower, popups, and when you start Internet Explorer your web page gets redirected to a site that has a title of Home Search. This infection is called by many names but is most often called by the following:

• Home Search Assistant
• Home Search
• Only the Best
• Shopping Wizard
• CWS_NS3

If you are infected with this infection you will see an image that is very similar to the one below when you start Internet Explorer:



Image of Internet Explorer being hijacked to Home Search



You will also see popups that will be titled Only the Best:

This self-help guide will walk you through the steps to remove the Home Search Assistant Infection. Before we begin I want to explain some terms and keys that you may see within this document:


Terms you need to know:

• [Download Link] - If you see this next to an underlined group of words it is used to signify what type of link it is, and that you should click on it in order to download the file.
  
  
• [Tutorial Link] - If you see this next to an underlined group of words it is used to signify what type of link it is, and that you should click on it in order to read the tutorial.
  
  
• [Print this tutorial before proceeding] - - If you see this next to an underlined group of words it is used to signify that you should print the tutorial that you will see when you click on the link
  
  
• HijackThis - This program is used to clean up entries in your computers configuration that are used to automatically start programs when Windows starts up.
  
  
• AboutBuster - This program is specially designed to help remove the Home Search Assistant infection.
  
  
• Ad-Aware - This is a Spyware removal utility.
  
  
• Registry - A database in Windows that contains configuration information on how your computer and software installed on that computer is supposed to operate.
  
  
• ADSSpy - A tool to look for Alternate Data Streams which are used by this infection to hide itself.

Tools Needed for this fix:
(Clicking on these links will bring you to the download page for the programs

• HijackThis [Download Link]
• AboutBuster [Download Link]
• Ad-Aware [Download Link]
• ADSSpy [Download Link]

Related Tutorials:

• How to use HijackThis to remove Browser Hijackers & Spyware [Tutorial Link]
  
  
• Home Search Assistant / CWS_NS3 Analysis [Tutorial Link]
  
  
• Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer [Tutorial Link]

Symptoms in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
O2 - BHO: (no name) - {151159EF-C5FE-DEA7-6C94-33A3EC6A9C14} - C:\WINDOWS\winlc32.dll
O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

This infection can be very difficult to remove as the various programs used by this infection monitor each other and attempt to detect when someone is trying to delete them. If you follow these steps, though, you will be able to remove it on your own fairly easily. I will include step by step instructions on how to remove this infection and explain it in such a way that even a beginner at computers should be able to understand. Do not be turned away by the length of these instructions as they are only long because I went into extreme detail on how to complete each step.

---

Preparation Steps:

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
   
   How to see hidden files in Windows [Tutorial Link]
   
   
2. Please download about:Buster from here.
   
   about:Buster Download Link. [Download Link]
   
   Save the file to your desktop. Once it is downloaded minimize all your windows and right click on the aboutbuster.zip file and select the Extract all option. Keep pressing next and then finish to extract the files to your desktop in the folder aboutbuster. Now double-click on the aboutbuster folder on your desktop, and double-click on the aboutbuster icon contained within it. If the program loads, do not run the scan at this time, but rather continue to step 3 in these preperation steps. If the program does not work then please download the following file and save it to your desktop.
   
   Missingfilesetup.exe [Download Link]
   
   Once it has finished downloading, double-click on this file to install the missing files that we need in order to run AboutBuster. Once that has been completed, rerun AboutBuster to confirm that it does work. As long as the program loads, we are in good shape.
   
   
3. Please download and install Ad-Aware as we will use this at the end of this fix in order to clean up any other Spyware or Malware that may be found on your computer after we clean up this particular infection.
   
   Ad-Aware [Download Link]
   
   
4. Please download ADSSpy from the above link. When it is downloaded, right-click on the adsspy.zip file, and select Extract all. Keep press next and then finish to complete extracting it. We may use this program later in the cleanup process.
   
   ADSSpy [Download Link]
   
   
5. Next we want to print out a HijackThis log so we can be prepared for the cleanup stage. Download HijackThis from the following link and save it on your desktop:
   
   HijackThis [Download Link]
   
   Please download HijackThis from the above link. When it is downloaded, right-click on the hijackthis.zip file, and select Extract all. Keep press next and then finish to complete extracting it. A new window should open with the HijackThis icon in it. Double-click on this icon, and then click on Scan. Then click on the Save Log button. Then press the Save button again. A notepad should open with the contents of the log. Print this out so you can refer to it as you are cleaning.

End of Preparation Steps

---

Begin Log Analysis Stage

How to identify the files associated with this infection:

Before we can attempt to clean up your computer, we need to identify the items in the log you have just printed out that we need to clean. Below I have included a sample log so I show you examples of what needs to be removed.

Example Log:

Logfile of HijackThis v1.98.2 Scan saved at 3:58:01 PM, on 10/1/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\windows\system32\d3uw.exe C:\WINDOWS\system32\addgp.exe c:\files\sw\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hghda.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hghda.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hghda.dll/index.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {316E0DB4-BFD1-4559-E2B8-375C22AA81A5} - C:\WINDOWS\crpw32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [d3uw.exe] C:\windows\system32\d3uw.exe O4 - HKLM\..\RunOnce: [sdkyo.exe] C:\WINDOWS\system32\sdkyo.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

The only visible difference between an XP/NT/2000 log and and a 95/98*Grinler log, is that the 95/98*Grinler log will have an extra line that looks like this:

O4 - HKLM\..\RunServices: [D3RP.EXE] C:\WINDOWS\SYSTEM\D3RP.EXE

The items that we are going to want to clean are always going to be similar to the following:

1. Multiple R0/R1 entries that look like:
   
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hghda.dll/index.html#37049
   
   You will find multiple R0/R1 entries and you will want to clean all of them.
   
   
2. One O2 which contains a file name that looks random, consisting of 4-5 characters and ending with 32, like this:
   
   O2 - BHO: (no name) - {316E0DB4-BFD1-4559-E2B8-375C22AA81A5} - C:\WINDOWS\crpw32.dll
   
   
3. One or more O4 entries that will always have the same entry name as the filename. RunServices entries will only appear in Windows 95/98*Grinler computers, so do not be alarmed if you are not using one of those versions and don't see that type of entry.
   
   Examples are:
   
   O4 - HKLM\..\Run: [d3uw.exe] C:\windows\system32\d3uw.exe
   O4 - HKLM\..\RunOnce: [sdkyo.exe] C:\WINDOWS\system32\sdkyo.exe
   O4 - HKLM\..\RunServices: [D3RP.EXE] C:\WINDOWS\SYSTEM\D3RP.EXE
   
   When we are cleaning these, do not be alarmed or surprised if you have many O4 entries or only one. Just clean them all. If you see an entry named internat.exe, pccguide.exe, or PCClient.exe, you can leave them alone as they are legitimate.
   
   
4. Windows XP/NT/2000 machines also contain a service that you will not be able to see as a fixable entry in the HijackThis log. We will give you instructions on how to find this particular file later in this guide.
   

Now from the above XP log, using the criteria just explained, the following would be the HijackThis entries we would want to clean:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hghda.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hghda.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hghda.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hghda.dll/index.html#37049 R3 - Default URLSearchHook is missing [If you see this in a log, always fix it] O2 - BHO: (no name) - {316E0DB4-BFD1-4559-E2B8-375C22AA81A5} - C:\WINDOWS\crpw32.dll O4 - HKLM\..\Run: [d3uw.exe] C:\windows\system32\d3uw.exe O4 - HKLM\..\RunOnce: [sdkyo.exe] C:\WINDOWS\system32\sdkyo.exe

As you can see we have all the R0/R1, the O2, and the O4 entries selected that match the described criteria for this infection. With those marked off on the printer log, we will continue with the removal procedure.

---

Begin Removal Procedure:

You may want to print out these directions, as well as the other tutorials, as the Internet will not be available for most of these steps. I will designate those tutorials that you should print out. If you have problems while doing a step, simply skip over that step and proceed with the next one.


Step 1 - Reboot into safe mode

Reboot your computer into safe mode. Instructions on how to do this can be found here:

How to boot windows into safe mode [Tutorial Link] [Print this tutorial before proceeding]


Step 2 (XP/NT/2000 ONLY) - Identify the file name and name of the malware service:

Click on the Start button, then click on Control Panel. When the control panel opens, double-click on the Administrative Tools icon. When the Administrative Tools window opens, double-click on the Services button.

The Services window will contain a listing of all the services that are installed on your machine. We need to find one of the following:

• Network Security Service
• Workstation NetLogon Service
• Remote Procedure Call (RPC) Helper

When you see a service of this name, and there should be only one, double-click on that service name. You should now be in that service's properties page. Now please follow these steps:

1. Change the Startup Type drop down box to Disabled.
   
   
2. Then press the Stop button.
   
   
3. Then write down on a piece of paper the text found in the Path to executable field. This text is the filename for the service and we will need it later. You can ignore the /s at the end of the file name.
   
   
4. When you are done, press the OK button to exit the service's properties. Then exit the services window.

Now that we know the file being used as the service, we proceed to the next step.


Step 3 - End the running processes so that they do not re infect you.

In this step we want to shut down the infection programs, or processes, so that they can not re infect us as we are cleaning up the computer. The processes that we want to end are the O4 entries that we identified in the previous Log Analysis stage and the service file name that we identified in Step 2.

To do that press control-alt-delete (that means press the control and alt and delete keys at the same time on your keyboard) and that will bring you into the task manager. If you are in XP or 2000 click on the Processes tab and put a check in the checkbox labeled Show processes from all users. If you are in 95/98*Grinler then keep reading.

At this point you should end the O4 processes and the service process if they shown in the Task Manager. To end the task simply click once on the name of the program, and click the End Task button. Do not be alarmed if you do not see all or any of the processes you are looking for.

When you have completed ending each of the programs found from the O4 entries then please continue.


Step 4 - Clean up the HijackThis Log

Now that the processes have been stopped in Step 3, we will clean up the entries in the HijackThis log that are associated with this infection. First close all windows so you are at the desktop and there is nothing else running. Then start HijackThis and click on the Scan button. You will now see a listing of entries. Put a checkmark next to each entry that is associated with this infection as discovered in the Log Analysis stage. Remember that these infections always consist of the following:

• Multiple R0/R1 entries that contain text that is similar to this: res://C:\WINDOWS\system32\hghda.dll/sp.html#37049
  
  
• One O2 entry that contains text that is similar to this: C:\WINDOWS\crpw32.dll
  
  
• At least one, but may be many more, O4 entries that look similar to this: C:\windows\system32\d3uw.exe

When you are done putting checkmarks next to each of these entries, press the Fix button.


Step 5 - Delete the files identified as part of this infection.

Now that we have shut down the programs that were causing the infection and cleaned up the Registry with HijackThis, we want to actually delete these files off of our computer. You can do this by either searching for the files and deleting them when they are found or by using My Computer or Windows Explorer to navigate to the folders and then delete the file.

In our example log we found that the following files were part of this infection (Refer to the example above). These files may not be same as the ones you identified in your log as the names are always random.

C:\WINDOWS\system32\hghda.dll
C:\WINDOWS\crpw32.dll
C:\windows\system32\d3uw.exe
C:\WINDOWS\system32\sdkyo.exe

So if I you were to use My Computer to find the C:\WINDOWS\system32\hghda.dll. I would double-click on My Computer, then double-click on the C: drive, then double-click on the Windows folder, then double-click on the system32 folder. I would then look within that folder for the hghda.dll file and delete it.

Repeat this process for the other files found when doing the log analysis.

If you get an error when deleting a file. Right click on the file and click once on properties. Then check to see if the Read Only attribute is checked, and if it is, uncheck it and try deleting the file again.

When all the files are deleted, proceed to Step 6 where we will delete the service file discovered in Step 2 of this removal procedure.


Step 6- Delete the file used by the service (Only for XP/2000/NT Users)

In this step we are going to delete the service file found in Step 2 of this removal procedure. The service file can look like one of four different ways:

C:\WINDOWS\SYSTEM32\D3UY.EXE
C:\WINDOWS\D3UY.EXE
C:\WINDOWS\SETUPLOG.TXT:HNABN
C:\WINDOWS\SYSTEM32\SETUPLOG.TXT:HNABN

If the file name DOES NOT have a : in it, then you can simply delete the file as shown in Step 5. If on the other hand, it DOES contain a : we need to a special procedure to remove this file. Examples of two files with : in it are the last two entries in the above examples. Please follow the below steps only if your service file name contains a :

1. Navigate to the folder where you had extracted the ADSSpy program earlier. Then double-click on ADSSpy. When the program runs, click on the Scan the system for alternate data streams button. When the program has finished scanning your computer, you will be presented with a list of files found. Find in this list the entry that corresponds to the filename for your service found in Step 2 and put a checkmark next to it. Then click on the Remove selected streams button.

Now that the service file has been deleted please continue to Step 7.



Step 7 - Clean the Windows Registry of entries left behind by this infection

In this step we will delete some leftover Registry entries that HijackThis can not clean.

1. Download the attached cws-hsa.reg file to your desktop
   
   
2. When it has completed downloading, double-click on the cws-hsa.reg file.
   
   
3. When Windows prompts about whether or not you want to merge this information, click on the Yes button.

Now proceed to step 8.


Step 8 - Run about:Buster to clean up any leftover elements of this infection.

1. Navigate to the aboutbuster directory on your desktop and double-click on aboutbuster.exe found in this folder.
   
   
2. When the aboutbuster is open press the OK button
   
   
3. Press the Start button
   
   
4. Press the OK button
   
   
5. When it prompts you if it can shutdown Explorer.exe, allow it to do so by clicking on the Yes button.
   
   
6. It will then scan your computer for any files from the infection that may have been missed and delete them if they are found.
   
   
7. It will then ask to be allowed to scan a second time. Please respond Yes.

When it completed move on to Step 9.


Step 9 - Replace critical files that may have been deleted by this infection

At this point your computer is now free of the infection. Sit back, have a drink, and breathe a sigh of relief.

We still have a few steps left, but these are relatively easy and the worst is now over. This infection when it runs deletes some valid files that are necessary for your computer to run. I will provide links to these files and locations you should copy them to.

1. Reboot your computer back into normal mode so we are not in safe mode any longer.
   
   
2. This infection deletes the Windows system file called shell.dll. Please follow these instructions in order to restore that file:
   
   
   1. If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip.
      
      Once the file is downloaded un compress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):
      
      %windir%\system32
      %windir%\system
      
      
   2. If you are using Windows 98 please download shell.dll from here: shell-dll98.zip.
      
      Once the file is downloaded un compress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):
      
      %windir%\system
      
      
   3. If you are using Windows ME please download shell.dll from here: shell-dllme.zip.
      
      Once the file is downloaded un compress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):
      
      %windir%\system
      
      
3. If you have Spybot S&D installed on your computer we advise that you uninstall it and then download and install the latest version. This will make sure you have the latest files that are necessary for it to run correctly.
   
   
4. The infection deletes your HOSTS file as well so it required that we restore that file for some programs to work properly. Download the Hoster from:
   
   Hoster Download Link
   
   Press the Restore Original Hosts button and then press the OK button. Now exit the program as your HOSTS file is now restored.
   
   
5. If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.

Step 10 - Run two online virus scans for good measure.

Now I am just being paranoid, but it can't hurt to be safe, right? I want you to run two online virus scans to make sure there is nothing else lurking around your machine. Please visit the following two links and run the virus scans that can be found there:

TrendMicro's HouseCall
Bitdefender's Online Scan

Lets now proceed to last and final step.


Step 11 - Run Ad-Aware to clean up any other Spyware or Malware.

Our last and final step is to run Ad-Aaware on your machine. This will search your computer for any other spyware or malware that may have been missed and attempt to remove it. Instructions on how to use this software can be found here:

Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer [Tutorial Link]


Lawrence