View Full Version : OT: CWS hijacker,canīt get rid of it

08-24-2004, 05:25 PM
Spysweeper and Window washer donīt seem to be able to clear it from my XP Pro system. They simply re-appear after seemingly successfull elimination.

If anyone has a solution please let me know.


08-24-2004, 05:49 PM

They seem to have some trouble and are switching servers ( or something like that ), but do a search on a program called

It's specifically designed to remove different variants of CWS.
Hopefully you don't have a version they can't cure.

Big Jay
08-24-2004, 07:45 PM

look for adaware and
spybot search and destroy

both are free and remove quite a few spy and ad programs

08-24-2004, 09:19 PM

The shredder tool did its job!! Spyware, yukkkk, really annoying!
You canīt imagine the trouble i had just to get to a download page of it because of constant hijacking, LOL.

thx again!!

08-25-2004, 02:22 AM
It might come back... The Shredder does the job for the moment but in my case the nasty little program had a backup that masked itself as a 16-bit legacy file... the file is invisible to windows (I mean really invisible... doesn't friggin' exist) and it requires hacking into the registry to make it visible... once it visible, the only task left is too delete it and that wasn't easy...
It's a real nasty piece of software but I admire their ingenuity... I would have them killed though if I could just find out where they live...

If you search the web I'm sure you'll find info that is a little more precise that my drunken ramblings...

08-25-2004, 07:47 AM
I am often called out of my office (I do alot of Computer service work) to fix spyware infestations (often appear to be virus activity) and have found the following three programs used together help elminate 99% of the mess.

www.lavasoftusa.com --- Adware Personal SE (new version)

http://www.safer-networking.org/en/download/ --- Spybot search and destroy

http://www.spychecker.com/program/hijackthis.html --- HijackThis!

Hijack This is very useful (and can be very harmful) to check out what is tying into your browser and startup.

The only thing I have seen that Adaware or Spybot hasn't been able to fully kill is wintools. To kill this boot into safemode. Goto Program Files>Common Files>WinTools and rename all the exe and dll files in the folder. Then create FOLDERS with the names of the old files.

For example, if you have a file called WinToolsB.exe make a folder called WinToolsB.exe. This is a nice trick to help keep the file from coming back. I haven't yet seen one overwrite the folder back into a file. Plus, it lets you know when something tried to get into your system as at start up, it will open the folder.

Oohh, and for the best clean, boot into safemode and run your cleaning tools.

08-25-2004, 10:58 AM
There is one more useful piece of software which was actually recommended from within spybot:


It blocks all recognized bad activex based components from running. It does not run in the background so no resources are wasted. There is also program called spywareguard, from the same people/website. I do not use it personally. It runs in the background and checks in real time for possible hijacks. I usually intall it for people (some of my friends, etc) who do not know how to behave on the net and usually end up with spyware.

Big Jay
08-26-2004, 03:31 PM
never thought of the folder naming trick. I just copied notepad.exe into those locations and just renamed it into the name of the adware. Would of saved me some time closing notepad windows.

08-26-2004, 04:00 PM
So, if you delete the folder it reappears after next windows reboot etc?

08-27-2004, 07:24 AM
art: The putting folders in place of the files just lets you know that the program you had erticated from your PC has come back, or tried to come back. And also help prevent future infestations (works for most viruses also).

08-27-2004, 07:42 AM
I was cleaning someone's computer once and they had something very nasty installed (I don't recall the name) and although spybot and adaware were detecting it, they could not remove it because the files were i use. The during-reboot scans could not remove it either for some reason. I used the free process explorer from sysinternals.com to see what was going on. Apparently the rouge program was somehow running under winlogon process. In order to delete the rogue exe i would have to kill winlogon process, but as soon as I did that windows was going down. (btw. proces explorer allows to kill some processes that regular task manager does not allow to touch).
What I did might be useful for you guys in the future should similiar situation occur. I found the rogue exe and opened the security properties for it (I guess you need win 2000 or xp pro for that). I revoked all access for everyone including admin. Obviously, after restart the file did not execute. As admin, I was able to take the ownership again, so I did and since the exe was not running, I was able to delete it.

08-27-2004, 08:39 AM
When that happens, Safemode usually works.

08-27-2004, 09:44 AM
Yeah, Im aware of the safe mode which I always use to scan for viruses. For spyware I usually search in normal mode, but in the case I described, I certainly tried safemode before looking for different solutions.

btw. that person had well over 1000 objects detected by adaware, majority of which were not cookies. I'm still waiting to see a machine that beats that record. :)