Jump to content


Photo

searchx.cc


  • Please log in to reply
4 replies to this topic

#1 qy3pr

qy3pr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 02:40 AM

hi.

well. I used the newest version of cws shredder (btw: good job, Merijn) and it did remove the searchx.cc version of the malware, but I think that the program modified the IE-link to reinstall itself whenever I used it.
so.. I remove the sh*t with cws shredder and it's gone. if I start IE by clicking iexplore.exe, everything is ok and clean. if I click the IE link in the start-programs menu instead, the malware reinstalls itself.

I could be wrong, but it's worth a check (for improving shredder).

-----

I was wrong... maybe.. I created a new link to IE and got searchx.cc again.. closed IE, ran a shredder and after clicking iexplore.exe, IE was clean again.. so.. the malware has obviously infected something else... hmm.. I'll try another way.. brb.

Edited by qy3pr, 14 June 2004 - 02:50 AM.


#2 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 14 June 2004 - 02:55 AM

Hello

SearchX needs to be removed in a different way :)

Let's have a look at a HijackThis Log.

1. If you don't already have HijackThis, Download HijackThis from downloads.subratam.org/hijackthis.zip
2. Make a folder in My Documents and name it with a name you like.
3. Extract the contents of the Zip file to this newly made folder.
4. You should get a dynamite like icon. Run that and press SCAN. The SCAN button will change to SAVE. Click on SAVE and a notepad window should pop-up. Save that entire content
5. Copy the entire content of the HijackThis Log and paste it here.DO NOT Delete or modify anything yet, as some of it is needed to keep your system in Good Shape.

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#3 qy3pr

qy3pr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 04:15 AM

ok. I tested to run IE by clicking on a shared (read-only) shortcut through the network. there's nothing wrong with the link.. the installation process starts somewhere else.. here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:09:47, on 2004-06-14
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\INSTALL\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program\office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Bostream
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3

------

btw, I know what the registry is and how windows and pc's work.. it's just this hijacker I can't get rid of.. and somehow I never get this kind of crap.. this is not my computer we're talking about.

#4 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 14 June 2004 - 11:23 AM

Download this file from http://downloads.sub....org/dllfix.exe .

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
Post that log here.

[ Tutorial - http://forums.subrat...p?showtopic=583 with screenshots for better understanding. Follow upto step 5 ]

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#5 qy3pr

qy3pr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 June 2004 - 05:42 PM

This is for Windows 2000 or Windows XP only

but I had to modify the batch-file in order to see that message.. otherwise the shell window closed automatically.

PS. btw: thx for your help. I also forgot to mention that the computer runs win98.

Edited by qy3pr, 15 June 2004 - 06:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button