Jump to content


Photo

CWS SearchX removal


  • Please log in to reply
15 replies to this topic

#1 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 31 July 2004 - 09:34 AM

I have one of those buggers that keeps changing regardless of how many times I use Adaware, Spybot, CWShredder, HijackThis, etc. Usually I fix the Rs and the O18s, but it keeps coming back. I use the Spybot helper to block other changes to the registry that it causes, but that only helps control the symptoms of the problem.

Here's my HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 10:31:59 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O18 - Filter: text/html - {72E3ED65-0C43-461C-A5DF-63623207C59A} - C:\WINDOWS\System32\bifle.dll
O18 - Filter: text/plain - {72E3ED65-0C43-461C-A5DF-63623207C59A} - C:\WINDOWS\System32\bifle.dll

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 31 July 2004 - 11:15 AM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#3 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 31 July 2004 - 04:09 PM

Thanks, mmxx66, for helping me.

Here's what was in the value field.

C:\WINDOWS\System32\comeop.dll

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 31 July 2004 - 05:29 PM

Please follow these steps:

Step 1:
Go to Folder Options> View

Scroll to the bottom of the list to find the box labeled:
Use Simple File Sharing(Recommended)
Remove the check from that box and press ok.

Step 2:

Download CWShredder from this link:
http://www.spywarein.../CWShredder.exe

Save that file somewhere as we will use it later.

Step 3:

Download this file and then immediately sign off the
internet and stay off until all steps are finished.


The file to download is here:

http://computercops....ownload&id=1183

Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

Step 4:

Restart the Computer.

Find this file:
c:\windows\system32\comeop.dll

Use the security tab on comeop.dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.

Example:
comeop.dll>bleh.txt
bleh.txt > badfile.111

Please zip that file and store it somewhere as I would like you to email it to me.

Now delete the original file.

Step 5:

Extract and Run CWShredder immediately.
Press the fix button to clean.

Restart and run hijackThis again.
Post your new log here in your next reply.

#5 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 07:30 PM

Did you mean the File Options>View in Explorer?

There was no option in that menu entitled "Use Simple File Sharing (recommended)."

If it matters, I'm using XP Home SP 1.

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 02 August 2004 - 05:03 PM

Try in safe mode logged in as administrator

#7 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 05:06 PM

Okay, I restarted in safe mode as an administrator, and here were my options in explorer>file options>view.

Which should I check/uncheck in order to get this done?

FILES AND FOLDERS
--automatically search for network folders and printers
--display file size information in folder tips
--display simple folder view in Explorer's folder list
--display contents of system folders
--display full path in address bar
--display full path in title bar
--HIDDEN FILES AND FOLDERS
----show/don't show hidden
--hide extensions for known file types
--hide protected operating system files (recommended)
--launch folder windows in separate process
--remember each folder's view settings
--restore previous folder windows at logon
--show control panel in my computer
--show encrypted/compressed ntfs files in color
--show pop-up description for folder in desktop items.

Edited by lifeindeadtime, 02 August 2004 - 05:41 PM.


#8 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 02 August 2004 - 07:50 PM

Please follow these steps:

[
Step 1:

Download CWShredder from this link:
http://www.spywarein.../CWShredder.exe

Save that file somewhere as we will use it later.

Step 2:

Download this file and then immediately sign off the
internet and stay off until all steps are finished.


The file to download is here:

http://computercops....ownload&id=1183

Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

Step 3:

Restart the Computer.

Find this file:
c:\windows\system32\comeop.dll
Right click on it , go to properties and unmark read only file.
Then try to delete it, if that fails try to rename
it first to different name+ext.

Example:
comeop.dll>bleh.txt
bleh.txt > badfile.111

Please zip that file and store it somewhere as I would like you to email it to me.

Now delete the original file.

Step 4:

Extract and Run CWShredder immediately.
Press the fix button to clean.

Restart and run hijackThis again.
Post your new log here in your next reply.

#9 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 03 August 2004 - 06:46 PM

Okay, I got comeop.dll to reveal itself, but whenever I try to unselect the "read-only" attribute, I get an access denied message.

I also tried logging in as an administrator is safe mode, but I got the same access denied message.

Then I tried renaming the file as you recommend, but it wouldn't allow me to move or delete it because access is denied.

If you pm me your email address, I could zip it and send it to you as you requested.

What now?

Edited by lifeindeadtime, 03 August 2004 - 07:07 PM.


#10 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 13 August 2004 - 09:50 PM

10 days. Bump.

#11 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 14 August 2004 - 09:50 AM

Sorry for the delay, I didnīt get the last notification.

Download, unzip and launch the KillBox:
http://www.downloads...org/KillBox.zip


Once launched, Copy/paste this into the 'main' box (it reads 'Paste full path of file to delete').

c:\windows\system32\comeop.dll

Now, please click on the Action menu and choose "Delete on Reboot".
On the next screen, click on the File menu and choose "Add File". That comeop.dll file will be added to the list automatically. If it is there or not, or even if it being used by Windows or not, then the KillBox will remove it.

Once it's added press (in the 'PendingFileRenameOperations' window) and hit "Process and reboot". You'll be asked to reboot/restart.
Please do so, it means simply restart the computer.

And post a new log.

#12 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 16 August 2004 - 05:39 PM

I'm still having trouble.

I used Killbox, but the dll file is still there.

It may not have worked because I tried earlier instructions to rename the file to a different name+ext like you instructed earlier. So comeop.dll is now a text file.

When I used Killbox, it said it couldn't change the file because it's not a running process. I tried the "delete and reboot" option anyway, but the file is still on my computer. I still can't delete the file, change the read-only option, or anything else.

On the bright side, CWS Searchx is only re-installed when I try to remove it with Ad-Aware. I don't know if that's progress or not. I would like to remove it entirely from my machine though.

New hijack this log

Logfile of HijackThis v1.98.0
Scan saved at 6:38:49 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#13 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 16 August 2004 - 07:04 PM

So you could rename the file.

Edited by mmxx66, 16 August 2004 - 07:05 PM.


#14 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 17 August 2004 - 09:33 AM

So you could rename the file.

But I still can't move or delete it in either regular mode or in safe mode as an administrator.

#15 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 17 August 2004 - 10:28 AM

what is the name of the file now?

#16 lifeindeadtime

lifeindeadtime

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 17 August 2004 - 10:32 AM

what is the name of the file now?

It's still comeop.dll but it's a text file.

It's from when I followed these directions from earlier...

Find this file:
c:\windows\system32\comeop.dll
Right click on it , go to properties and unmark read only file.
Then try to delete it, if that fails try to rename
it first to different name+ext.

Example:
comeop.dll>bleh.txt
bleh.txt > badfile.111


I still couldn't do anything with it, so I just changed it back to comeop.dll but it's still a text file.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button