Jump to content


Collecting information about SearchX

  • Please log in to reply
9 replies to this topic

#1 aib



  • Full Member
  • Pip
  • 8 posts

Posted 21 July 2004 - 09:44 AM

Hello all,

I am looking to collect as much information as I can about CWS.SearchX, the malware that infects explorer and IE and changes the IE starting page to a local file called sp.html (titled "Search For...") My aim is to

1) Find a way to clean my home computer, share it with others as soon as I achieve this, ie. help others clean their computers.
2) Find out who and what the victims are against.
3) Possibly write a dedicated 2-click cleaner to get rid of CWS.SearchX once and for all.

So please, if you have any technical information about this malware, share it with me and all the other users in this thread. Information I am looking for includes:

1) Name/size/checksum/location of dropped .dlls, other executables and other files.
2) Name/location/type/value of registry keys.
3) Effects of the first two. (i.e. "the changed value APPInit_DLLs causes all applications to load the malware DLL at startup, the name.dll in system protects the registry key from deletion)

I am going to start populating the thread soon as I get home and collect more information.

Thank you

#2 H@ns


    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 21 July 2004 - 10:36 AM

Take a look here:


and here:
http://www.russellte...e/homeoldsp.htm (some info from Merijn)
Nucia Security Forums - Dutch Anti-Malware Support

#3 aib



  • Full Member
  • Pip
  • 8 posts

Posted 22 July 2004 - 10:04 AM

Ahh yes, I was going to post that link

BTW, the info on Merijn's site does not match my infecter computer 100%. Maybe that was why CWSShredder failed to remove SearchX?

Anyway, I will summarize everything on those two links and everything I know here, soon as I get some time on my hands.

#4 Maorza


    New Soldier

  • Full Member
  • Pip
  • 46 posts

Posted 22 July 2004 - 03:05 PM

Newer versions of CoolWebSearch are becoming increasingly harder to remove. Merijn has stated that they are fast becoming too aggressive and sophisticated for a tool like CWShredder to keep up with. He has since stopped working on CWShredder.

You may have a new version that nobody has even seen yet, (if in fact you are infected now) and as soon as the goodguys find a way to remove a series of nasties, there comes newer ones. All the time.

Edited by Maorza, 22 July 2004 - 03:07 PM.

#5 aib



  • Full Member
  • Pip
  • 8 posts

Posted 24 July 2004 - 07:55 AM

That is the difference between manual and automatic cleaning. A (somewhat technically advanced) computer user can be as "paranoid" or as "forgiving" as they want. Cleaner programs cannot afford to do that. Anyway, here is all that I know about SearchX:

Drops a randomly named .dll in system32. Causes iexplore.exe and explorer.exe to load it by adding some values to the registry:

New key: HKCR\PROTOCOLS\Filter\text/html
New string: "CLSID" - value set to a random CLSID, say "CLSID A"

New key: HKCR\PROTOCOLS\Filter\text/plain
New string: "CLSID" - value set to "CLSID A" above

New key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(random CLSID value, call it "CLSID B")

Then of course, it adds the CLSID values to the classes root:
With an "InprocServer32" subkey whose default value points to the randomly-named DLL in system32.

Now, there is one more thing about the string value of "APPInit_DLLs" in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows , but SearchX has stopped infecting my computer ever since I got rid of that key (with the rename method found on the forum link above) along with all the stuff above, so I do not know what that string value contains (probably points to the re-infection DLL that resides in system).

Anyway, removing everything above seems to get rid of SearchX for good. Do not forget to have all instances of IE (iexplore.exe) and Explorer (explorer.exe) shut down before attempting to clean it. Shutting down explorer.exe will get rid of your start menu and taskbar, so you will have to use the Task Manager which pops up with Ctrl+Alt+Del or Ctrl+Shift+Esc.

#6 aib



  • Full Member
  • Pip
  • 8 posts

Posted 24 July 2004 - 07:59 AM

Oh, one more thing:
The "APPInit_DLLs" and the deletion-protection stuff is, from the point of view of SearchX, much less powerful than it could potentially be. Further variants with better programming might make it altogether impossible to manually remove the registry key and hence SearchX altogether, without resorting to Safe Mode.

#7 cyberscan



  • Full Member
  • Pip
  • 9 posts

Posted 28 July 2004 - 07:22 AM

Please tell me where I can download this DLL file. I plan to profile it and possibly rewrite some of the functions to cause havoc for the culprit.

#8 scanner13069



  • New Member
  • Pip
  • 2 posts

Posted 30 July 2004 - 12:30 AM

I had this use CWShredder it works great.So Far.

#9 aib



  • Full Member
  • Pip
  • 8 posts

Posted 20 August 2004 - 07:27 PM

Unfortunately, I do not have the DLL (or anything related to SearchX left on my computer, hooray! :)

There are still some questions left to be answered, though. First of all: Has CWShredder really worked for you, scanner13069? SearchX is (or was) recurring in nature, and it took anywhere from 3 to 12 hours to re-highjack your starting page and do everything else it does.

#10 Noone



  • Full Member
  • Pip
  • 77 posts

Posted 30 August 2004 - 05:12 AM

Two mirrors of Merijn's site:


Member of UNITE
Support SpywareInfo Forum - click the button