Collecting information about SearchX
Posted 21 July 2004 - 09:44 AM
I am looking to collect as much information as I can about CWS.SearchX, the malware that infects explorer and IE and changes the IE starting page to a local file called sp.html (titled "Search For...") My aim is to
1) Find a way to clean my home computer, share it with others as soon as I achieve this, ie. help others clean their computers.
2) Find out who and what the victims are against.
3) Possibly write a dedicated 2-click cleaner to get rid of CWS.SearchX once and for all.
So please, if you have any technical information about this malware, share it with me and all the other users in this thread. Information I am looking for includes:
1) Name/size/checksum/location of dropped .dlls, other executables and other files.
2) Name/location/type/value of registry keys.
3) Effects of the first two. (i.e. "the changed value APPInit_DLLs causes all applications to load the malware DLL at startup, the name.dll in system protects the registry key from deletion)
I am going to start populating the thread soon as I get home and collect more information.
Posted 22 July 2004 - 10:04 AM
BTW, the info on Merijn's site does not match my infecter computer 100%. Maybe that was why CWSShredder failed to remove SearchX?
Anyway, I will summarize everything on those two links and everything I know here, soon as I get some time on my hands.
Posted 22 July 2004 - 03:05 PM
You may have a new version that nobody has even seen yet, (if in fact you are infected now) and as soon as the goodguys find a way to remove a series of nasties, there comes newer ones. All the time.
Edited by Maorza, 22 July 2004 - 03:07 PM.
Posted 24 July 2004 - 07:55 AM
Drops a randomly named .dll in system32. Causes iexplore.exe and explorer.exe to load it by adding some values to the registry:
New key: HKCR\PROTOCOLS\Filter\text/html
New string: "CLSID" - value set to a random CLSID, say "CLSID A"
New key: HKCR\PROTOCOLS\Filter\text/plain
New string: "CLSID" - value set to "CLSID A" above
New key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(random CLSID value, call it "CLSID B")
Then of course, it adds the CLSID values to the classes root:
With an "InprocServer32" subkey whose default value points to the randomly-named DLL in system32.
Now, there is one more thing about the string value of "APPInit_DLLs" in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows , but SearchX has stopped infecting my computer ever since I got rid of that key (with the rename method found on the forum link above) along with all the stuff above, so I do not know what that string value contains (probably points to the re-infection DLL that resides in system).
Anyway, removing everything above seems to get rid of SearchX for good. Do not forget to have all instances of IE (iexplore.exe) and Explorer (explorer.exe) shut down before attempting to clean it. Shutting down explorer.exe will get rid of your start menu and taskbar, so you will have to use the Task Manager which pops up with Ctrl+Alt+Del or Ctrl+Shift+Esc.
Posted 24 July 2004 - 07:59 AM
The "APPInit_DLLs" and the deletion-protection stuff is, from the point of view of SearchX, much less powerful than it could potentially be. Further variants with better programming might make it altogether impossible to manually remove the registry key and hence SearchX altogether, without resorting to Safe Mode.
Posted 28 July 2004 - 07:22 AM
Posted 20 August 2004 - 07:27 PM
There are still some questions left to be answered, though. First of all: Has CWShredder really worked for you, scanner13069? SearchX is (or was) recurring in nature, and it took anywhere from 3 to 12 hours to re-highjack your starting page and do everything else it does.