Jump to content


Photo

CWS Searchx variant keeps reinfecting my system


  • Please log in to reply
9 replies to this topic

#1 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 10:00 AM

Okay, I've done everything I can think of to get rid of CWS, and it keeps coming back. I have the Searchx variant coming back over and over again.

I've got CWShredder. I've got Ad-Aware. And I've got Spybot S&D. I've run scans with up-to-date versions of all of them, in succession, even in Safe Mode, and even though each program finds different things to correct, after a little while the CWS search page ("about:blank" :angry: ) comes up again. I've immunized with Spybot, set to show a dialog when it blocks something, and though it comes up now and then to let me know it's working, CWS came back anyway, so it must be on my system where Spybot can't prevent reinstallation.

(Note that, for some readon that I can't figure out, I'm having trouble connecting to ftp sites using Internet Explorer. So if any of these programs updates though that system or a similar one, I might not in fact have up-to-date versions. But I've had no problem getting Ad-Aware updates, so this might not be a problem.)

Also note that the spyware does not appear to return after a reboot. The first few times I open up IE after scanning and rebooting, my home page is clean. Then, for no reason I can discern, I'll open up IE again, and my home page is the accursed "about:blank" CWS search page.

I've got a Windows 98 system, running Internet Explorer. Both are up to date according to Windows Update.

I've read through the FAQ. I've read the Spyware Removal article and followed its instructions to the best of my ability. I've got no idea what else to try. Please help! :(

#2 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 10:01 AM

Here's my HijackThis log file:

Logfile of HijackThis v1.97.7
Scan saved at 9:29:42 AM, on 5/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Iomega\Tools\Register\REMIND.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
F1 - win.ini: load=C:\PROGRA~1\IOMEGA\TOOLS\REGISTER\remind.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRAM FILES\NTS\ENTERNET 300\APP\EnterNet.exe -AutoStart
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yaho...m/v/yacscom.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {853C1A83-1639-11D0-8BBF-0080C7A01083} (Web Browser Pop-up Window Control) - http://activex.micro...eb/webpopup.ocx
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.102...etzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37871.395474537
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB

#3 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 May 2004 - 09:36 AM

Okay, here's a quick update.

Based on the information in the CWS Chronicles (here) I decided to check for the realyellowpage variant. I downloaded PrcView and followed the manual removal instructions, unzipping to the desktop and then rebooting in Safe Mode. The long and short of it is that I did not find a file with the 61c00000 61440 characteristics, so I guess I don't have that variant of CWS. It's just a very clever searchx variant.

I've been considering just backing up some files and then formatting my c: drive and reinstalling my system. That should get rid of the much accursed CWS! But if I can avoid that much work, I'd really prefer to.

I see that there are hundreds of new posts here, though. Did I join up just as lots of posts were being moved over to a new forum system, or are there really that many people showing up with new problems? Ew! :p

#4 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 09:38 AM

download this:

http://www10.brinkst...st/Win98Fix.zip

Unzip it.
Go into the folder.
Double click the who.bat
Post the results here.



#5 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 May 2004 - 06:41 PM

Okay, got it. I'm not sure whether this worked properly, but here's what I got:

C:\WINDOWS\System\COME.DLL +++ File read error

(This is without running a spyware scan to make sure my system's as clean as I can make it. Please let me know if I should do that and try again.)

#6 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 May 2004 - 10:13 AM

I just ran system scans with Ad-Aware, Spybot and CWShredder to get my system as clean as possible, then ran who.bat again. The result is the same as in my last post, a file read error on come.dll.

So I went to my System folder to see whether I could find this file. I set my folder options to show all files, and I looked for come.dll. It's not there. I guess that explains the file read error: the file doesn't appear to exist. So why is who.bat looking for it?

Edited by Stormraven, 31 May 2004 - 10:23 AM.


#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 31 May 2004 - 07:24 PM

its there it just hides itself.

Ok in the w98fix folder is a regfile.

Double click it. When asked to merge say yes.

Than reboot.

You should now see that file.

Right click it and hit properties.
Uncheck read only, archive and hidden.

Than you should be able to delete it. Its what is reinstalling the hijack.



#8 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 June 2004 - 08:19 AM

Excellent! The offending file has been OBLITERATED! Thank you for all your help. :D

My only remaining question, then, is whether there's still something on my system trying to point to and activate that file. It couldn't tell itself to run, could it? For that matter, how did who.bat know to look for come.dll in the first place? Are there still footprints on my system that led to it, or will they have been deleted as a run-once item that failed to find what it was looking for?

Thanks again! I really appreciate your help!

#9 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 June 2004 - 08:47 AM

Stormraven - my apologies if it is bad etiquette for me to ask questions about your problem in order to try to fix my own.

Did your infection include the evil green underlining of certain words on web pages. I have been trying to clear up this on my system but it too keeps coming back. When I run CWShredder, it reports that it has removed Searchx and Madfinder and things seem fine for a while but inevitably, it comes back. If you were also getting the green underlines then I may try the solution provided by Shadowwar.

Thanks

#10 Stormraven

Stormraven

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 04 June 2004 - 07:18 AM

I didn't get the green underlines, no. Perhaps that's a feature of Madfinder rather than Searchx, or some other spyware. But in order to get rid of the Searchx strain, you may as well try the same solution I did. It worked! It's three days later, and there's been no corruption of my home page.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button