CWS Hijack

[Michael Schwarz]

My computer appears to be infected with the CWS Hijack
Trojan.

My browser is redirected to
res://nrkod.dll/index.html#37794. Various pop up ads
from "only the best" continue to recur. I have tried
deleting the various files associated with nrkod.dll.
They continue to replicate using a variety of different
names, including iebi32.exe, apibb32.exe, msoy32.exe,
winpn.exe, and so on. The bad files appear in the Windows
subdirectory, the Windows32 subsubdirectory and a
subdirectory called windows/prefetch.

I have been able to find the files using a program called
Ad-aware. However, after they are deleted the files come
back using different names. The only name that appears to
remain constant is nrkod.dll.

Is anyone familiar with this virus? Norton Antivirus does
not find it. And the various utilies on the web for CWS
Hijack do not appear to work.

I would appreciate hearing from anyone who has dealt with
this issue recently.

 

[PA Bear]

See http://forum.aumha.org/viewtopic.php?t=6207

Afterwards, check your system for (other) "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow all Removal steps.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

Protect Your PC
http://www.microsoft.com/security/protect