Jump to content


Photo

CWS.searchX problems


  • Please log in to reply
1 reply to this topic

#1 Laxen

Laxen

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 July 2004 - 05:35 AM

I have a problem with removing CWS.searchx from reinfecting my system. According to CWShredder which I use (daily now..() it's removed, but it instantly reemerges. Neither ADaware or S&D will help. Nor does my antivirus program.

CRTL+ALT+DEL and chosing processes will show 2 items which I dont know have any significance, Link bash joy and "up deaf".

Having a limited experience with computers, I dont know if a log from "hijackthis" will help you, but since it has been requested for almost all other topics here, I will supply mine:

-----------

Logfile of HijackThis v1.98.0
Scan saved at 12:25:19, on 2004-07-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Winamp\Winampa.exe
C:\WINDOWS\System32\msnqmgr.exe
c:\program\intern~1\iexplore.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\DC++\DCPlusPlus.exe
C:\Program\Winamp\Winamp.exe
c:\program\intern~1\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\laxen\Skrivbord\Gamla genvägar\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {AC55DDA9-6176-59C4-FB65-88DBD58669E8} - C:\Program\OPENAM~1\Hope Mail.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MixHeart] C:\Program\BONEST~1\Link Bash Joy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Per\Deamon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [Mapi Thunk More For] C:\Documents and Settings\All Users\Application Data\The Ace Mapi Thunk\Up Deaf.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europ.../wowbeta/Si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.st.../soesysinfo.cab

-----------

Service pack 1 is installed, as is the latest upgrades for Win XP from Microsofts site.

----------


The problem presents itself as im directed to CWS as homepage, usually together with an popup, and alot of added sites to my "favourites" bar.


---------

Very thankful for any help!

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 01 August 2004 - 07:56 PM

Hello,

NOTE: Please print a copy of these instructions because you will be working in Safe Mode and/or with all windows closed except HijackThis.

Please run HijackThis in Safe Mode....

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {AC55DDA9-6176-59C4-FB65-88DBD58669E8} - C:\Program\OPENAM~1\Hope Mail.exe

O4 - HKLM\..\Run: [MixHeart] C:\Program\BONEST~1\Link Bash Joy.exe

O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe

O4 - HKLM\..\Run: [Mapi Thunk More For] C:\Documents and Settings\All Users\Application Data\The Ace Mapi Thunk\Up Deaf.exe

O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europ.../wowbeta/Si.cab


Now, search for, and delete if found, (some files may not be present after previous steps) the following:

Folders:

C:\Program\OPENAM~1\ This folder's name begins with OPENAM and other letters will follow that. You will have to search for it to find it. It will be located in the Program folder.

C:\Program\BONEST~1\ The same for this folder... also in the Program folder, and its name begins with BONEST with other letters following. Search for it and delete it when found.

C:\Documents and Settings\All Users\Application Data\The Ace Mapi Thunk\

File:

msnqmgr.exe

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Empty your Recycle Bin.

Reboot into normal mode.

Check CWShredder for updates. Run the program, with all other windows closed, and hitting fix as opposed to scan. Run it a second time. Reboot when finished.

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

Reboot when finished.

If you are not running version 1.3 of Spybot S & D, click here to download Spybot Search & Destroy v1.3 - install, update, reboot into Safe Mode, scan and fix all RED items it finds. Reboot into normal mode when done.

Perform a customized Ad-aware scan in Safe Mode........

If you do not have the latest version of Ad-aware, version 6, Build 6.181, click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then boot into Safe Mode, start the program, and click the gear wheel at the top and check these options to configure Ad-aware for a customized scan:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot into normal mode when finished.

Next, perform online virus and Trojan scans, using the links in my signature below. Allow the programs to delete all that they may find. Reboot after each scan.

Scan with HijackThis and post a fresh log into this same thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button