Jump to content


Photo

Simple way to deal with searchx?


  • Please log in to reply
6 replies to this topic

#1 Adam

Adam

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 27 May 2004 - 01:06 AM

Okay. This is so easy it can't work, right? It worked for me. For all I know searchx will reinstall itself on my machine somehow, but it has been three days and four reboots and so far so good.

Make sure you have backed up your system and have the latest CWShredder, Killbox, and Spy-bot programs standing by at the ready.

(1) Engage "Search" function on the regular old Windows XP start menu.

(2) Click on "All files and folders"

(3) Click on "More advanced options"

(4) Under "file type" put in .dll

(5) Specify a time period the file was modified according to when searchx first showed up

(6) Execute search

(7) Look for a suspicious file--the searchx .dll randomly generates a name. Mine was bnomp.dll.

(8) Write down that file name and its location

(9) Google that exact file--a rookie's way of checking to see if it isn't some legitimate file. I.e. if it were a legitimate file it would probably show up on some page on the www.

(10) If it is unknown to Google . . . bear in mind I am not an expert and just a guy with a computer so I take no responsibility here . . . go ahead and . . . make sure you have that backup file handy . . . DELETE THAT .dll file using Killbox (using the delete on reboot function, which others have discussed on these boards)

(11) When your system reboots, right click on your IE icon and change your homepage without opening your browser

(12) Run CWShredder and install the security patches and whatnot it says you should when the program is finished. Reboot as needed.

(13) Run Spy-bot and also immunize your computer.

(14) Open that browser and see what happens!

Again, some of the experts on this board are probably correct to say that this is an ill-advised or incomplete solution. All I can say is that doing this would not have occurred to me had I not walked through their excellent advice first. Their solutions did not work for me, but they did help me understand this bugger well enough to try the solution I mentioned above. It has worked for me so far. :)

#2 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 07:36 AM

Well it will reinstall. This reinstalls from a hidden dll that you cannot find inside of windows when its running. It even hides from all antiviruses.

You can see the dll that appears in hijackthis logs but you cant find the hidden one.

Plus Adaware updated will do all you said automatically. But it will come back becuase adware cant tackle the hidden one.



#3 Adam

Adam

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 27 May 2004 - 11:11 AM

Yes, but it seems to have worked, and that is the puzzling thing.

If you can explain why it might have worked it would help me understand this frustrating but also fascinating problem.

Before I ran the basic windows search I also ran a program called pv, which I downloaded at the advice of someone else on this board. With it I found a hidden .dll with the file size associated with the searchx trojan. I deleted that one first using Killbox. Then I did a windows search and found the other .dll. So, in total, I deleted two .dll files.

I really am not sure about the relationships between these .dll files, but I am certain that I read all the manual removal instructions very carefully and they did not work for me--in that I could not find the .dll files where I was told they would be. This did work (I hope)--day four and at least a dozen reboots later.

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 May 2004 - 11:20 AM

Adam - read and reply to http://www.spywarein...hp?showtopic=34 if interested in learning..

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 AmazingRich

AmazingRich

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 27 May 2004 - 11:38 AM

Well it will reinstall. This reinstalls from a hidden dll that you cannot find inside of windows when its running. It even hides from all antiviruses.

You can see the dll that appears in hijackthis logs but you cant find the hidden one.

Has anyone ever seen the hidden dll?

How is the hijacking code able to load the dll if you can't see it with normal tools?

Is it hooked into the boot path, or running IE? Both maybe? (I seem to get reinfected only if I let the addressbar search).

It would seem that if it is invisible to antivirus programs that it would be invisible to the disk defragger and would get wipped out during a defrag. True?

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 May 2004 - 11:39 AM

You too AmazingRich -
Wealth of info in Boot Camp and it's a fine place to ask questions. All are welcome.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:58 PM

Well i have samples of the dll and have spent many hours investigating this thing. It would take a post over 300 lines long to explain everything this nasty does.
Basically the Hidden dll downloads the visible dll and reinstalls the hijack.
Sometimes it doesnt show in a pv log.

When its running its hooked to EVERY exe program running.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button