• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
thenrainsaid

cws.searchx [of course, what else?]

15 posts in this topic

:scratchhead: <--neanderthol perplexed face seems quite apropos here.

 

I really can't seem to be rid of CWS.Searchx [classified according to CSWshredder].

 

I cannot install Spyware Blaster, it says another part of my machine has corrupted it. I cannot restore my machine to a previous system check, it always fails. I ran it through norton antivirus to make sure there were no viruses prohibiting installment of the Blaster, to no avail. AVG [which I run jointly with norton on my other machines, but for some reason not on this one] is unable to be installed.

 

I have run the system through updated Ad-aware in depth, with cloak as well, and with advised settings. Each time Searchx is removed, as it is with the shredder, yet each time my computer reboots, it's back. I have deleted MS Java from my machine and installed the Sun version. I have also updated IE to my best abilities -- which quantly involves all updates except for the SP1, which always fails.

 

I have checked for CWS.Realyellowpage variant hook with it, but it doesn't exist. I have used Spybot. You know the drill. I was also told to delete AppInit_DLLs and therefore already have. Now, I come to you with the output of FindAll shortly thereafter... any help would be much appreciated.

 

 

 

 

 

 

 

 

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--

 

 

Tue Jun 01 15:44:30 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "KIDS" (305E:15DF) - FS:FAT clusters:16k

Total: 39 996 407 808 [37G] - Free: 25 819 037 696 [24G]

 

 

»»IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;Q824145;Q330994;Q837009;Q832894;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"DigExt"=""

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

 

»»M$Java version:

 

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 03-19-2004 notepad.exe

 

»» Regedit* version(s):

5.1.2600.0 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 03-19-2004 regedt32.exe

 

 

»»PC uptime:

3:44pm up 0 days, 17:28

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

300 SMSS.EXE

348 CSRSS.EXE Title:

372 WINLOGON.EXE Title: NetDDE Agent

420 SERVICES.EXE Svcs: Eventlog,PlugPlay

432 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

608 SVCHOST.EXE Svcs: RpcSs

636 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility

helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,Sched

le,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,The

es,TrkWks,up

756 SVCHOST.EXE Svcs: Dnscache

776 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

888 SPOOLSV.EXE Svcs: Spooler

936 CCEVTMGR.EXE Svcs: ccEvtMgr

956 NISUM.EXE Svcs: NISUM

1160 ALG.EXE Svcs: ALG

1176 CCPXYSVC.EXE Svcs: ccPxySvc

1232 Navapsvc.exe Svcs: navapsvc

1544 XL.EXE Svcs: XtreamLok License Manager

560 EXPLORER.EXE Title: Program Manager

1860 ccApp.exe Title: Norton AntiVirus

1592 jusched.exe Title: OleMainThreadWndName

2720 avg6688fu_free.exe

2816 avg6688fu_free.exe

2860 avg6688fu_free.exe

3152 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2908 ntvdm.exe

3580 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access KIDS2\Antonia

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access KIDS2\Antonia

 

 

 

 

»»Size of 'Windows' key: (Defaults *450)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [KIDS2\Antonia], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group KIDS2\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: There are no more files.

 

 

»»Contents of file(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Tue Jun 01 15:45:04 2004 -- ++Find-All backups created:

A C:\Find-All\Find-All\winBackup.hiv

A C:\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Share this post


Link to post
Share on other sites

Hi there!

 

I can help, but it seems yoy already started the process and renamed the 'Windows' key!

The 'AppInit_Dlls' value is missing from your log and

the size=398 indicates

the standard size when deleted.

 

Can you specify what have you done so far, on your own?

I was also told to delete AppInit_DLLs and therefore already have. Now, I come to you with the output of FindAll shortly thereafter

 

Keep in mind that starting the process

first may have some minor, irreversible implications.

 

Details...

http://www.spywareinfoforum.com/index.php?showtopic=3544&hl=

 

Meanwhile, do 'find-files' for:

C:\WINDOWS\System32\WDM.DLL < and

specify whether it can be found.

Share this post


Link to post
Share on other sites

AfterThought, Since you renamed the Windows key

and deleted the 'AppInit' value already, your culprit file is

likely to be the-WDM.DLL in System32 folder.

 

Since you are running FAT32 file system, you

should have no trouble simply deleting it.

 

However, confirm the file and it's properties

first since there could be legitimate file(s) by that name.

 

If that file is found with:

*Read only attributes

* No version (company) in properties

*Sizes of: 56.0 KB (57,344 bytes), or: 21.0 KB (21,504 bytes)

 

Go ahead and delete it.

 

If the details don't match, post them here, first.

Share this post


Link to post
Share on other sites

Yeah, actually I started the "process" prior to finding this board... So I hadn't found/run FindAll yet. I hope that doesn't jeopardize things. I haven't done anything past that "phase" though... so I'm hoping it'll be OK?

 

How do I find out the properties, and change them, and such like that?

I really need a step by step walkthrough at this point, as I don't want to mess anything up anymore :(

 

Thanks

Edited by thenrainsaid

Share this post


Link to post
Share on other sites

Ok, actually, I'm running a system search right now because I can't locate any file named wdm.dll easily... >.< That isn't good, is it?

Share this post


Link to post
Share on other sites

Well, I'm not sure how to proceed.

As in the link I posted, you deleted the

AppInit after renaming the 'windows' folder?

 

In that case the file should be visible.

 

To find files and their properties:

You locate it and RightClick. Size and version should be displayed.

 

You should try restarting in Safe Mode and searching for the file.

 

Failing that, repoeat what you did, rename

the 'Windows' folder, restart computer,

search for the file while making sure it's

properties match as detailed above,

Delete it or rename it first, Rename

the 'windows' folder back to original.

 

I'm not exactly sure which steps you

actually followed so I'm hesitant to advise further.

Share this post


Link to post
Share on other sites

Well, SD located 5 DSO issues that seem to relate to cws.searchx and removed them... and then I ran CWShredder and it too found cws.searchx and supposedly removed it... and now I am restarting.

 

Is this hopeless?

Share this post


Link to post
Share on other sites

Was forced to restart due to request by SD.

 

After this restart, SD removed 5 DSO exploits [again seemingly in reference to cws.searchx], but CWShredder found "no infection".

 

However, I now have:

 

Error loading

C:/PROGRA~1/NEWDOT~1/NEWDOT~1.DLL

The specified module couldn't be found.

 

I am now running AdAware. Will post results.

 

What do I do?

Share this post


Link to post
Share on other sites

Results of AdAware are as follows:

 

2 CoolWebSearch RegValues

[HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER]

1 New.Net RegValue

2 Possible browser hijack attempts RegData

2 CoolWebSearch Files

 

 

 

I await your command. x_x

Share this post


Link to post
Share on other sites

If you deleted it in safe mode, all is well! :D

 

None of the other items you mentioned have anything to do with it!

*Note: Items as DSO exploit and/or web dialer that spybot can't remove should be ignored.

I suspect them to be f/p, notably on ~dozen of threads.

FYI, that Dsoexploit pertains to defaults IE zones and really doesn't have to be fixed!

Spybot attempts to tighten the security range, but I leave mine well alone

until further confirmed by windows Updates!

 

Just fix whatever they can and post back

fresh hijackthis log!

Share this post


Link to post
Share on other sites

OK, I'm new to this and probably clueless... but I keep finding DSO Exploit with Spybot and I notice that I have almost constant crashes and reboots if I DON'T remove DSO Exploit every morning after I boot up.

 

So how do I get rid of this pest? I keep my Norton up to date, as well as Ad Aware and Spybot. I suppose it's possible there's a virus or some other malware in this machine but I haven't found anything to detect it.

 

Help, please... :huh:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0