Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove The Cws Swapx (http://t.swapx.cc/)


  • Please log in to reply
2 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 PM

Posted 25 October 2004 - 11:20 PM


This self-help guide will allow you to remove the CWS SWAPX infection (http:://t.swapx.cc/h.php?aid=20009 or http:://win-eto.com/hp.htm?id=9)


What this program does:
  • Hijacks your Internet Explorer to open http:://t.swapx.cc/h.php?aid=20009 or http:://win-eto.com/hp.htm?id=9 as your home page.
  • Adds favorites to Internet Explorer that lead to porn sites.
  • Downloads other malware programs and installs them without your permission.
  • Deletes your Hosts file.

When infected with this variant your Internet Explorer will open to a screen that looks like this:
 
swapx home page
Homepage Hijacked to Swapx.cc

Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log (Will be different file names):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://win-eto.com/hp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://win-eto.com/sp.htm?id=9 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\IK4995~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: c7vrp0mw8l.dll

You will most likely also have quite a few other pieces of malware installed as well due to this infection.
How to spot the infection:
  • You will have a O2 entry that has a DLL file in c:\windows\system32 and the name of the file has a ~ in it.

  • You will have a O4 Global Startup with winlogin.exe

  • You will have a O20 entry with a DLL that has a random filename.


Instructions: IMPORTANT UPDATE ON 12/04/04: Please note that this tutorial has been updated due to a new variation of this infection. Ad-aware has the ability to now remove this infection. I have updated the steps below in order to reflect these changes.
Manual Removal:  
  1. Download and install Ad-Aware SE Personal from the following link:

    Ad-Aware Download Link

  2. After it has completed installing, double-click on the Ad-aware icon to start the program.

  3. After the program opens, immediately click on the Check for updates now link.

  4. After the program has downloaded the latest update and installed them, click on the Scan Now button.

  5. Choose the Perform full system scan option

  6. Press the Next button.

  7. If the program hangs while scanning, then do steps 4 - 6 again, but after selecting Perform full system scan, select the Customize link and uncheck Scan Active Process. Then attempt to scan your computer again.

  8. When the scan is finished a screen will appear showing you if anything was found.

  9. Click the Next button and you will see a listing of the bad files found. Right-click on the screen and choose Select all objects. You will now have checkmarks in all the listed items.

  10. Click Next and then click OK at the prompt where it is asking you to continue.

  11. When it is done fixing the selected items, exit Ad-aware.

  12. Reboot your computer.

  13. Download HijackThis from the above link and extract it to c:\hijackthis.

  14. Navigate to the c:\hijackthis directory and double-click on HijackThis

  15. Run HijackThis and press the Scan button.

    1. Put a checkmark next to the O2, O4, and O20 entries that are associated with this infection as defined by the symptoms outlined earlier. If you see other entries that contain the following files or words you can put a checkmark in them as well. Be sure to write down the locations of the files you are fixing first as we will need to delete them later.

      Super-spider
      couldnotfind.com
      C:\Program Files\ISTbar\
      C:\Program Files\ISTsvc\
      c:\program files\180solutions\
      C:\WINDOWS\kdwzsn.exe
      C:\WINDOWS\System32\xesder.exe
      C:\Program Files\Power Scan\
      C:\Program Files\VVSN\
      C:\Program Files\Internet Optimizer\
      C:\Program Files\SideFind\
      *.greg-search.com
      www.xxxtoolbar.com

    2. Then press the Fix button.

    3. Exit HijackThis.

  16. Download the Hoster from this Hoster Download Link. This will restore your deleted Hosts file.

    1. Press "Restore Original Hosts" and press "OK".

    2. Now exit Hoster.

  17. In this step we are going to clean out your temp files. Click on Start and then run, and type %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

  18. Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

  19. Download the cws_swapx.reg file and save it to your desktop. When it done downloading double-click on the cws_swapx.reg file located on your desktop and when it asks if you would like to merge the information, click on the Yes button.

  20. Delete all the files from the entries you fixed in Step 15a. If you are the slightest bit unsure, then do not delete the file.

  21. Disable and reenable System restore using the instructions found here:

    Windows XP System Restore Guide

    Managing Windows Millenium System Restore
Now your computer should no longer be infected with the CWS_SWAPX infection! Please note that due to the nature of this program a great deal of other spyware and malware may be installed on your computer. If you are still receiving popups or having trouble, then post a HijackThis log in our HijackThis Logs and Analysis forum.  

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 PM

Posted 02 December 2004 - 05:48 PM

This tutorial has been updated to reflect the necessary additional step of running AVG Free antivirus software.

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 PM

Posted 04 December 2004 - 12:29 PM

Updated again to include the fact that Ad-aware can now clean most of this infection




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users