Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing "Home Search Assistant" (CWS_NS3)


  • Please log in to reply
1 reply to this topic

#1 CORNAN

CORNAN

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 28 November 2004 - 06:50 PM

I used tutorial85.html from this site to help remove CWS_NS3 "Home Search Assistant Hijacker". I think at least one of the other "removal tools" was actually a SpyWare installer itself [one of them had a name ending in "shredder", I can't dell if it did more damage than good], so be careful if you have this hijacker; at least "bleepingcomputer" doesn't seem to have it's own unwanted payload.

Though it seemed useful, AboutBlaster hacked my IE start and search pages to http://www.google.com/, which I did not appreciate.

I needed to do more than just the steps shown, so the hijacker has probably been updated since the tutorial and since the latest version of AboutBlaster. None of the tools I used (NAV, Spy Sweeper or About Blaster) did the whole job themselves.

The latest rev of SpySweeper discovered the hijacker but its running processes brought it back.

Since the author put most of their pages in \WINNT as hidden files, toward the end it was pretty simple to do a >DIR /ah /od to find them.

Getting rid of all the background processes was the hardest, as I have a bunch of legitimate "O4" processes running. I couldn't tell about "javabn.exe", and left it in the first few passes, but I eventually zapped it.

The last things to go were appcv.exe, some unwanted Favorites entries, and last of all, a startup entry for msyt32.exe (which didn't exist by that time).

I hope this will be helpful to somebody else; you can put back the start and search pages in REGEDIT by searching for Google, so the "damage" from AboutBlaster, though annoying, was easy to address (it would have been easier if I knew it was going to happen; it took a few passes to realize that AboutBlaster was doing it).

FYI.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:01 PM

Posted 01 December 2004 - 01:26 PM

This was responded to in another post here, but will address it here as well:

Let me address some of your concerns as I was the one who wrote the tutorial and have extensive experience removing CWS_NS3/home search assistant.

First CWShredder does not install Spyware. It is a tool created by the same person, Merijn, who made HijackThis. It is designed to search for and delete certain variants of the Cool Web Search infection. Not sure why you used this program for this infection, though, as it is not mentioned in my tutorial and does not apply towards this infection. You can be assured though, that cwshredder does not do anything to harm your computer.

Second, your right AboutBuster does change your homepage to Google. It has to change it so something after removing the real hijacker that your homepage was set to. To reset your homepage after running AboutBuster there is no need to edit the registry. Simply open Internet Explorer, go to tools, internet options, and change your homepage right there. You are right that it can not do the entire job itself, though, which is why it is listed as part of the removal process and not the entire process.

Third, Why did you run spysweeper and nav? Its not even mentioned in the tutorial or stated that it can remove it. As a matter of fact there is no known automated method of removing this infection which is why we have that long and detailed tutorial.

Lastly, you are obviously of higher computer knowledge than most, so good job in removing this. There were some steps that you missed though from my tutorial:

Make sure you replace the shell.dll that has been deleted as well as your modified hosts file.

Reinstall control.exe if missing and make sure you reinstall spybot if you were using it.

If you are a windowsxp/nt/2000 user make sure the service is disabled and optionally deleted if you like a tidy system.


Feel free to let me know if you need any help with any of these steps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users