How can I get rid of CWS SWAPX infection?

Question

We are the recipient of a homepage hijack.

My kids were surfing over the weekend and now we have as the default

page the t.swapx.cc/h.php?aid=31403 code. Attempted changes of any kind

will not reset the home page.

I tried to download the cwshredder program and it says to "extract to the directory c:\cwshredder . I can download this program to the A drive or the c drive but when I try to run it the adobe acrobat says all items not loaded.

How can I get rid of this hijack so I can then install the Cox Spyware blocker ?

Luckily I can still run my email for now and do some surfing but I cannot print anything off the internet now.

HELP!!!

We are also looking for a new computer notebook- $800-1200 range.

Pentium 4.

Thanks-

Theresa Dando

Glendale, Arizona

[email protected]

Answer

This question was answered on December 2, 2004. Much of the information contained herein may have changed since posting.

This self-help guide will allow you to remove the CWS SWAPX infection

What this program does:

Hijacks your Internet Explorer to open http:://t.swapx.cc/h.php?aid=20009 or http:://win-eto.com/hp.htm?id=9 as your home page

Adds favorites to Internet Explorer that lead to porn sites.

Downloads other malware programs and installs them without your permission.

Deletes your Hosts file

Tools Needed for this fix:

HijackThis - http://www.bleepingcomputer.com/files/hijackthis.php

Killbox - http://www.bleepingcomputer.com/files/killbox.php

CWShredder - http://www.bleepingcomputer.com/files/cwshredder.php

How to spot the infection:

You will have a O2 entry that has a DLL file in c:\windows\system32 and the name of the file has a ~ in it.

You will have a O4 Global Startup with winlogin.exe

You will have a O20 entry with a DLL that has a random filename

Manual Removal:

1 - Download HijackThis from the above link and extract it to c:\hijackthis.

2 - Navigate to the c:\hijackthis directory and double-click on HijackThis

3 - When the program starts, double-click on the HijackThis icon and then click on the Scan button

Write the name of the file found in the O20 entry down on a piece of paper For example c7vrp0mw8l.dll

If you do not see a O20 entry, then you most likely do not have this type of infection Please post a HijackThis log in our HijackThis Logs and Analysis forum and someone will help you to remove the infection you do have.

Exit HijackThis

4 - Now download and extract killbox from the above link Extract the program to your desktop and double-click on its folder and then double-click on Killbox.exe to start the program

In the killbox program, select the Delete on Reboot option.

In the field labeled Full Path of File to Delete enter the name of the file found in Step 2 preceded by c:\windows\system32\ For example, C:\WINDOWS\TEMP\c7vrp0mw8l.dll

Press the button that looks like a red circle with a white X in it When it asks if you would like to Reboot now, press the Yes button.

5- -After the computer reboots check to make sure that the file we deleted in Step 3b no longer exists If it does still exist, repeat Steps 1 through 5 until the file is gone Otherwise, proceed to Step 6.

6 - Close all Internet Explorer windows

7 - Run HijackThis again and press the Scan button.

Put a checkmark next to the O2, O4, and O20 entries that are associated with this infection as defined by the symptoms outlined earlier If you see other entries that contain the following files or words you can put a checkmark in them as well Be sure to write down the locations of the files you are fixing first as we will need to delete them later.

Super-spider

couldnotfind.com

C:\Program Files\ISTbar

C:\Program Files\ISTsvc

c:\program files\180solutions

C:\WINDOWS\kdwzsn.exe

C:\WINDOWS\System32\xesder.exe

C:\Program Files\Power Scan

C:\Program Files\VVSN

C:\Program Files\Internet Optimizer

C:\Program Files\SideFind

*.greg-search.com

www.xxxtoolbar.com

Then press the Fix button

Exit HijackThis.

8 - Download CWShredder from the above link and extract it to c:\cwshredder.

Close all Internet Explorer windows.

Navigate to the c:\cwshredder directory and double-click on CWShredder.exe

Then press the Fix button

When CWShredder has completed, exit the program.

9 - Download Ad-Aware from the above link and install it on your computer

Launch the program by double-clicking on the link found on your desktop and then immediately click on the update button.

Then scan your computer and clean anything it finds There is a link to a tutorial on how to use this program above if you run into trouble.

When the scan is complete and you have fixed all the entries, exit Ad-Aaware.

10 - Download the Hoster from this Hoster Download Link This will restore your deleted Hosts file.

Press "Restore Original Hosts" and press "OK"

Now exit Hoster.

11 - In this step we are going to clean out your temp files Click on Start and then run, and type %tep% ad press the ok button

This should open up the temp directory that your machine uses Please delete all files that are found there If you get an error when deleting a file, skip that file and delete all the others If you had trouble deleting a file, reboot into Safe Mode and follow this step again You should now be able to delete all the files.

12 - Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content Then press the OK button This may take quite a while, so do not be alarmed with how long it takes When it is done, your Temporary Internet Files will now be deleted.

13 - Download the attached cws_swapx.reg file and save it to your desktop Then double-click on the cws_swapx.reg file located on your desktop and when it asks if you would like to merge the information, click on the Yes button.

14 - Delete all the files from the entries you fixed in Step 7a If you are the slightest bit unsure, then do not delete the file

Now your computer should no longer be infected with the CWS_SWAPX infection

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Henry of Katharine Gibbs School - New York on December 2, 2004