Jump to content


Photo

cws.searchx [of course, what else?]


  • Please log in to reply
14 replies to this topic

#1 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 June 2004 - 04:10 PM

:scratchhead: <--neanderthol perplexed face seems quite apropos here.

I really can't seem to be rid of CWS.Searchx [classified according to CSWshredder].

I cannot install Spyware Blaster, it says another part of my machine has corrupted it. I cannot restore my machine to a previous system check, it always fails. I ran it through norton antivirus to make sure there were no viruses prohibiting installment of the Blaster, to no avail. AVG [which I run jointly with norton on my other machines, but for some reason not on this one] is unable to be installed.

I have run the system through updated Ad-aware in depth, with cloak as well, and with advised settings. Each time Searchx is removed, as it is with the shredder, yet each time my computer reboots, it's back. I have deleted MS Java from my machine and installed the Sun version. I have also updated IE to my best abilities -- which quantly involves all updates except for the SP1, which always fails.

I have checked for CWS.Realyellowpage variant hook with it, but it doesn't exist. I have used Spybot. You know the drill. I was also told to delete AppInit_DLLs and therefore already have. Now, I come to you with the output of FindAll shortly thereafter... any help would be much appreciated.










--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--


Tue Jun 01 15:44:30 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "KIDS" (305E:15DF) - FS:FAT clusters:16k
Total: 39 996 407 808 [37G] - Free: 25 819 037 696 [24G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q824145;Q330994;Q837009;Q832894;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"DigExt"=""


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 03-19-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 03-19-2004 regedt32.exe


»»PC uptime:
3:44pm up 0 days, 17:28

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
300 SMSS.EXE
348 CSRSS.EXE Title:
372 WINLOGON.EXE Title: NetDDE Agent
420 SERVICES.EXE Svcs: Eventlog,PlugPlay
432 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
608 SVCHOST.EXE Svcs: RpcSs
636 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility
helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Sched
le,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,The
es,TrkWks,up
756 SVCHOST.EXE Svcs: Dnscache
776 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
888 SPOOLSV.EXE Svcs: Spooler
936 CCEVTMGR.EXE Svcs: ccEvtMgr
956 NISUM.EXE Svcs: NISUM
1160 ALG.EXE Svcs: ALG
1176 CCPXYSVC.EXE Svcs: ccPxySvc
1232 Navapsvc.exe Svcs: navapsvc
1544 XL.EXE Svcs: XtreamLok License Manager
560 EXPLORER.EXE Title: Program Manager
1860 ccApp.exe Title: Norton AntiVirus
1592 jusched.exe Title: OleMainThreadWndName
2720 avg6688fu_free.exe
2816 avg6688fu_free.exe
2860 avg6688fu_free.exe
3152 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2908 ntvdm.exe
3580 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access KIDS2\Antonia
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access KIDS2\Antonia




»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Group/user settings:


User: [KIDS2\Antonia], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group KIDS2\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue Jun 01 15:45:04 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#2 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 June 2004 - 07:50 PM

Can anyone please help me? My brother needs to use the machine and I'm under pressure. Thanks.

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 08:06 PM

Hi there!

I can help, but it seems yoy already started the process and renamed the 'Windows' key!
The 'AppInit_Dlls' value is missing from your log and
the size=398 indicates
the standard size when deleted.

Can you specify what have you done so far, on your own?

I was also told to delete AppInit_DLLs and therefore already have. Now, I come to you with the output of FindAll shortly thereafter


Keep in mind that starting the process
first may have some minor, irreversible implications.

Details...
http://www.spywarein...wtopic=3544&hl=

Meanwhile, do 'find-files' for:
C:\WINDOWS\System32\WDM.DLL < and
specify whether it can be found.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 08:17 PM

AfterThought, Since you renamed the Windows key
and deleted the 'AppInit' value already, your culprit file is
likely to be the-WDM.DLL in System32 folder.

Since you are running FAT32 file system, you
should have no trouble simply deleting it.

However, confirm the file and it's properties
first since there could be legitimate file(s) by that name.

If that file is found with:
*Read only attributes
* No version (company) in properties
*Sizes of: 56.0 KB (57,344 bytes), or: 21.0 KB (21,504 bytes)

Go ahead and delete it.

If the details don't match, post them here, first.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 June 2004 - 09:15 PM

Yeah, actually I started the "process" prior to finding this board... So I hadn't found/run FindAll yet. I hope that doesn't jeopardize things. I haven't done anything past that "phase" though... so I'm hoping it'll be OK?

How do I find out the properties, and change them, and such like that?
I really need a step by step walkthrough at this point, as I don't want to mess anything up anymore :(

Thanks

Edited by thenrainsaid, 01 June 2004 - 09:19 PM.


#6 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 June 2004 - 09:25 PM

Ok, actually, I'm running a system search right now because I can't locate any file named wdm.dll easily... >.< That isn't good, is it?

#7 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 June 2004 - 09:29 PM

Yeeeeah... my computer says that file doesn't [visibly?] exist.

::hangs self with a spork::

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 June 2004 - 10:15 PM

Well, I'm not sure how to proceed.
As in the link I posted, you deleted the
AppInit after renaming the 'windows' folder?

In that case the file should be visible.

To find files and their properties:
You locate it and RightClick. Size and version should be displayed.

You should try restarting in Safe Mode and searching for the file.

Failing that, repoeat what you did, rename
the 'Windows' folder, restart computer,
search for the file while making sure it's
properties match as detailed above,
Delete it or rename it first, Rename
the 'windows' folder back to original.

I'm not exactly sure which steps you
actually followed so I'm hesitant to advise further.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 June 2004 - 05:03 PM

I found it in safe mode with the described properties. I have deleted it and am now re-scanning with SD, Shredder, et al.

#10 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 June 2004 - 05:11 PM

Well, SD located 5 DSO issues that seem to relate to cws.searchx and removed them... and then I ran CWShredder and it too found cws.searchx and supposedly removed it... and now I am restarting.

Is this hopeless?

#11 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 June 2004 - 05:29 PM

Was forced to restart due to request by SD.

After this restart, SD removed 5 DSO exploits [again seemingly in reference to cws.searchx], but CWShredder found "no infection".

However, I now have:

Error loading
C:/PROGRA~1/NEWDOT~1/NEWDOT~1.DLL
The specified module couldn't be found.

I am now running AdAware. Will post results.

What do I do?

#12 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 June 2004 - 05:47 PM

Results of AdAware are as follows:

2 CoolWebSearch RegValues
[HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER]
1 New.Net RegValue
2 Possible browser hijack attempts RegData
2 CoolWebSearch Files



I await your command. x_x

#13 thenrainsaid

thenrainsaid

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 02 June 2004 - 10:28 PM

bump ::pleading eyes::

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 10:29 AM

If you deleted it in safe mode, all is well! :D

None of the other items you mentioned have anything to do with it!
*Note: Items as DSO exploit and/or web dialer that spybot can't remove should be ignored.
I suspect them to be f/p, notably on ~dozen of threads.
FYI, that Dsoexploit pertains to defaults IE zones and really doesn't have to be fixed!
Spybot attempts to tighten the security range, but I leave mine well alone
until further confirmed by windows Updates!

Just fix whatever they can and post back
fresh hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 maryw

maryw

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 October 2004 - 09:54 PM

OK, I'm new to this and probably clueless... but I keep finding DSO Exploit with Spybot and I notice that I have almost constant crashes and reboots if I DON'T remove DSO Exploit every morning after I boot up.

So how do I get rid of this pest? I keep my Norton up to date, as well as Ad Aware and Spybot. I suppose it's possible there's a virus or some other malware in this machine but I haven't found anything to detect it.

Help, please... :huh:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button