• ### Announcements

• #### IE 11 copy/paste problem

It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Followers 0

# CWS Searchx variant keeps reinfecting my system

## 10 posts in this topic

Okay, I've done everything I can think of to get rid of CWS, and it keeps coming back. I have the Searchx variant coming back over and over again.

I've got CWShredder. I've got Ad-Aware. And I've got Spybot S&D. I've run scans with up-to-date versions of all of them, in succession, even in Safe Mode, and even though each program finds different things to correct, after a little while the CWS search page ("about:blank" ) comes up again. I've immunized with Spybot, set to show a dialog when it blocks something, and though it comes up now and then to let me know it's working, CWS came back anyway, so it must be on my system where Spybot can't prevent reinstallation.

(Note that, for some readon that I can't figure out, I'm having trouble connecting to ftp sites using Internet Explorer. So if any of these programs updates though that system or a similar one, I might not in fact have up-to-date versions. But I've had no problem getting Ad-Aware updates, so this might not be a problem.)

Also note that the spyware does not appear to return after a reboot. The first few times I open up IE after scanning and rebooting, my home page is clean. Then, for no reason I can discern, I'll open up IE again, and my home page is the accursed "about:blank" CWS search page.

I've got a Windows 98 system, running Internet Explorer. Both are up to date according to Windows Update.

I've read through the FAQ. I've read the Spyware Removal article and followed its instructions to the best of my ability. I've got no idea what else to try. Please help!

##### Share on other sites

Here's my HijackThis log file:

Logfile of HijackThis v1.97.7

Scan saved at 9:29:42 AM, on 5/21/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\Program Files\Iomega\Tools\Register\REMIND.EXE

C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\SYSTEM\MSWHEEL.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe

O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE

O4 - HKLM\..\Run: [\$EnterNet] C:\PROGRAM FILES\NTS\ENTERNET 300\APP\EnterNet.exe -AutoStart

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s

O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O9 - Extra button: Dell Home (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v/yacscom.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {853C1A83-1639-11D0-8BBF-0080C7A01083} (Web Browser Pop-up Window Control) - http://activex.microsoft.com/activex/contr...eb/webpopup.ocx

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.102/25ed56c5768968ca3116/netzip/RdxIE.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab

O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll

O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37871.395474537

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

##### Share on other sites

Okay, here's a quick update.

Based on the information in the CWS Chronicles (here) I decided to check for the realyellowpage variant. I downloaded PrcView and followed the manual removal instructions, unzipping to the desktop and then rebooting in Safe Mode. The long and short of it is that I did not find a file with the 61c00000 61440 characteristics, so I guess I don't have that variant of CWS. It's just a very clever searchx variant.

I've been considering just backing up some files and then formatting my c: drive and reinstalling my system. That should get rid of the much accursed CWS! But if I can avoid that much work, I'd really prefer to.

I see that there are hundreds of new posts here, though. Did I join up just as lots of posts were being moved over to a new forum system, or are there really that many people showing up with new problems? Ew!

##### Share on other sites

http://www10.brinkster.com/expl0iter/freeatlast/Win98Fix.zip

Unzip it.

Go into the folder.

Double click the who.bat

Post the results here.

##### Share on other sites

Okay, got it. I'm not sure whether this worked properly, but here's what I got:

(This is without running a spyware scan to make sure my system's as clean as I can make it. Please let me know if I should do that and try again.)

##### Share on other sites

I just ran system scans with Ad-Aware, Spybot and CWShredder to get my system as clean as possible, then ran who.bat again. The result is the same as in my last post, a file read error on come.dll.

So I went to my System folder to see whether I could find this file. I set my folder options to show all files, and I looked for come.dll. It's not there. I guess that explains the file read error: the file doesn't appear to exist. So why is who.bat looking for it?

Edited by Stormraven

##### Share on other sites

its there it just hides itself.

Ok in the w98fix folder is a regfile.

Double click it. When asked to merge say yes.

Than reboot.

You should now see that file.

Right click it and hit properties.

Uncheck read only, archive and hidden.

Than you should be able to delete it. Its what is reinstalling the hijack.

##### Share on other sites

Excellent! The offending file has been OBLITERATED! Thank you for all your help.

My only remaining question, then, is whether there's still something on my system trying to point to and activate that file. It couldn't tell itself to run, could it? For that matter, how did who.bat know to look for come.dll in the first place? Are there still footprints on my system that led to it, or will they have been deleted as a run-once item that failed to find what it was looking for?

Thanks again! I really appreciate your help!

##### Share on other sites

Stormraven - my apologies if it is bad etiquette for me to ask questions about your problem in order to try to fix my own.

Did your infection include the evil green underlining of certain words on web pages. I have been trying to clear up this on my system but it too keeps coming back. When I run CWShredder, it reports that it has removed Searchx and Madfinder and things seem fine for a while but inevitably, it comes back. If you were also getting the green underlines then I may try the solution provided by Shadowwar.

Thanks