Jump to content


Photo

How do I completley remove CWS.Searchx?


  • This topic is locked This topic is locked
3 replies to this topic

#1 etniez

etniez

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 09:38 AM

I have had this malware for a very long time and have had no succsess in removing it. I have used hijak this (log posted below) and CWShredder as well as about:buster and adaware 6 in many different sequences and it will appear to be gone but then a day later it will come back even without me having to browse the internet. I have even used the programs listed above in safe mode and still no success. Will someone please help me and give me there advice! Also i have provided my hijak this log. For further information to help me I provided a screen shot of what it changes my homepage to so if anyone has had this before and have removed it then well then they can help me. Just please someone help me this has been a pain for about two weeks. All help is greatly appreciated. :D



Logfile of HijackThis v1.97.7
Scan saved at 10:26:08 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ArmorWall Personal Firewall\ArmorWall.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Documents and Settings\Owner\Desktop\System Utilities and Stuff\CWShredder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Owner\Desktop\System Utilities and Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ARMORWALL] C:\Program Files\ArmorWall Personal Firewall\ArmorWall.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize translation options - C:\Program Files\PRMT6\PRMTIE\options.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Translate - C:\Program Files\PRMT6\PRMTIE\translat.htm
O8 - Extra context menu item: Translate page - C:\Program Files\PRMT6\PRMTIE\page.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Translate (HKLM)
O9 - Extra 'Tools' menuitem: Customize translation options (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Web Entry (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll

This is the homepage of my malware (CWS.Searchx)
Posted Image

#2 etniez

etniez

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 01:59 PM

This equals gay and i cant get rid of it. Pic below...

Logfile of HijackThis v1.97.7
Scan saved at 2:57:42 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ArmorWall Personal Firewall\ArmorWall.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\System Utilities and Stuff\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ARMORWALL] C:\Program Files\ArmorWall Personal Firewall\ArmorWall.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Customize translation options - C:\Program Files\PRMT6\PRMTIE\options.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Translate - C:\Program Files\PRMT6\PRMTIE\translat.htm
O8 - Extra context menu item: Translate page - C:\Program Files\PRMT6\PRMTIE\page.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Translate (HKLM)
O9 - Extra 'Tools' menuitem: Customize translation options (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Web Entry (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armorwall personal firewall\netdog.dll

Posted Image

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 31 August 2004 - 01:12 PM

  • HijackThis ...
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:
    • spywareinfo.com
    • subratam.org
    • tools.zerosrealm.com
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.


#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 October 2004 - 03:53 PM

Due to inactivity this topic will be closed.

If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button