This self-help guide will allow you to remove the CWS SWAPX infection (http:://t.swapx.cc/h.php?aid=20009 or http:://win-eto.com/hp.htm?id=9)
What this program does:
- Hijacks your Internet Explorer to open http:://t.swapx.cc/h.php?aid=20009 or http:://win-eto.com/hp.htm?id=9
as your home page.
- Adds favorites to Internet Explorer that lead to porn
sites.
- Downloads other malware programs and installs them
without your permission.
- Deletes your Hosts file.
When infected with this variant your Internet Explorer will open to a screen that looks like this:
Homepage Hijacked to Swapx.cc
- How
to use HijackThis to remove Browser Hijackers & Spyware
- How
to remove CoolWebSearch with CWShredder
- Using
Ad-Aware SE to remove Spyware & Hijackers from Your Computer
- Windows
XP System Restore Guide
- Managing
Windows Millenium System Restore
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://win-eto.com/hp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://win-eto.com/sp.htm?id=9 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\IK4995~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: c7vrp0mw8l.dll
You will most likely also have quite a few other pieces of malware installed as well due to this infection. How to spot the infection:
- You will have a O2 entry that has a DLL file in c:\windows\system32 and
the name of the file has a ~ in it.
- You will have a O4 Global Startup with winlogin.exe
- You will have a O20 entry with a DLL that has a random filename.
Instructions: IMPORTANT UPDATE ON 12/04/04: Please note that this tutorial has been updated due to a new variation of this infection. Ad-aware has the ability to now remove this infection. I have updated the steps below in order to reflect these changes.
Manual Removal:
- Download and install Ad-Aware SE Personal from the following link:
Ad-Aware Download Link
- After it has completed installing, double-click on the Ad-aware icon to
start the program.
- After the program opens, immediately click on the Check for updates
now link.
- After the program has downloaded the latest update and installed them, click
on the Scan Now button.
- Choose the Perform full system scan option
- Press the Next button.
- If the program hangs while scanning, then do steps 4 - 6 again, but after
selecting Perform full system scan, select the Customize
link and uncheck Scan Active Process. Then attempt to scan
your computer again.
- When the scan is finished a screen will appear showing you if anything was
found.
- Click the Next button and you will see a listing of the
bad files found. Right-click on the screen and choose Select all objects.
You will now have checkmarks in all the listed items.
- Click Next and then click OK at the prompt
where it is asking you to continue.
- When it is done fixing the selected items, exit Ad-aware.
- Reboot your computer.
- Download HijackThis from the above link and extract it to c:\hijackthis.
- Navigate to the c:\hijackthis directory and double-click on HijackThis
- Run HijackThis and press the Scan button.
- Put a checkmark next to the O2, O4,
and O20 entries that are associated with this infection
as defined by the symptoms outlined earlier. If you see other entries that
contain the following files or words you can put a checkmark in them as
well. Be sure to write down the locations of the files you are fixing first
as we will need to delete them later.
Super-spider
couldnotfind.com
C:\Program Files\ISTbar\
C:\Program Files\ISTsvc\
c:\program files\180solutions\
C:\WINDOWS\kdwzsn.exe
C:\WINDOWS\System32\xesder.exe
C:\Program Files\Power Scan\
C:\Program Files\VVSN\
C:\Program Files\Internet Optimizer\
C:\Program Files\SideFind\
*.greg-search.com
www.xxxtoolbar.com
- Then press the Fix button.
- Exit HijackThis.
- Download the Hoster from this Hoster
Download Link. This will restore your deleted Hosts file.
- Press "Restore Original Hosts" and press
"OK".
- Now exit Hoster.
- Press "Restore Original Hosts" and press
"OK".
- In this step we are going to clean out your temp files. Click on Start
and then run, and type %temp% and press
the ok button.
This should open up the temp directory that your machine uses. Please delete
all files that are found there. If you get an error when deleting a file,
skip that file and delete all the others. If you had trouble deleting a file,
reboot into Safe
Mode and follow this step again. You should now be able
to delete all the files.
- Now I want you to open up Internet Explorer, and click on the Tools
menu and then Internet Options. At the General
tab, which should be the first tab you are currently on, click on the Delete
Files button and put a checkmark in Delete offline content.
Then press the OK button. This may take quite a while, so
do not be alarmed with how long it takes. When it is done, your Temporary
Internet Files will now be deleted.
- Download the cws_swapx.reg
file and save it to your desktop. When it done downloading double-click on
the cws_swapx.reg file located on your desktop and when it
asks if you would like to merge the information, click on the Yes
button.
- Delete all the files from the entries you fixed in Step
15a. If you are the slightest bit unsure, then do not delete
the file.
- Disable and reenable System restore using the instructions found here:
Windows XP System Restore Guide
Managing Windows Millenium System Restore
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
Back to top
