Jump to content


Photo

Help with CWS. Searchx


  • Please log in to reply
12 replies to this topic

#1 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 June 2004 - 11:59 PM

Well......I got the same problem with some people here......CWS.searchx is on my computer, ad-aware cannot remove........downloaded hijackthis......now what? It gives me about.blank on homepage once in a while.

#2 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 June 2004 - 09:21 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:24:48 PM, on 21/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP 5.0 LE\PHOTOSLE.EXE
C:\PROGRAM FILES\ACD SYSTEMS\ACDSEE\ACDSEE.EXE
C:\WINDOWS\PROFILES\RICHA002\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.58q.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.21ww.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home Network Version 1.7
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.58q.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - User Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...ic/wtwdinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8144.5458101852
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.micr...C4D/mp43dmo.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O19 - User stylesheet: (file missing)

#3 The_Homie

The_Homie

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 21 June 2004 - 09:48 PM

There have Been many, many, many Of us who got jacked By this S.O.B Hijacker.
I just got RID of CWS SEARCHX myself..Thx from some peeps here and a little messing with it my self.

First things first get a file called REGLITE @ www.resplendence.com/download/reglite...

and get a file called find all.Bat @ http://freeatlast.10....com/index.html

And if you dont have these 2 file's yet get them Ad-aware 6 build 181 & SpyBot Search And Destroy 1.3 both can be Downloaded from www.Download.com.

And CWS shredder...


Ok Time to find the random .dll that the Trojin/spyware use's
Open findall.bat and run it, it will tell you the culprete file .dll your looking for write it down, you can also find the file by doing a defrag & the file it cant move is the 1 you need to write down.

Ok once you have the .dll name as mine was d3dhii.dll open REGLITE and copy and paste this in the address bar:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs and hit GO.

In the left pane, highlight "Windows" then right-click it and choose Rename. Change the name to NotWindows it will ask you if you want to make the change, click Yes.

Now, in the right pane, double-click the AppInit_Dlls value and highlight and delete the C:\WINNT\System32\d3dhii.DLL value in the value box(remember that you wrote the name of the .dll down as mine was d3dhii.dll your's will be differnt.

then hit Apply and Ok. Right-click "NotWindows" in the left pane, choose rename, and change the name back to Windows, then ok that change, close Reglite and reboot.

After rebooting, open the C:\WINNT\System32 folder in Explorer and look for THE .DLL file you found with findall.bat, which should now be visible. If it is, cut and paste it into a different folder i move mine to a folder called JUNK @ C:/JUNK, then try to delete it (You may or may not be able at that point.

you will need to reboot into safe mode by rebooting your comp and pressing F8 when in safe mode find the folder you moved the .dll file to and you will have to fidle with the premission's of the file but once you are able to set premissions for it you will now be-able to delete it.

if you keep getting the premission's denied error or simlar error dont sweat it happen to me many time's just keep messing with the premission for that file and it will finaly take and you will beable to delete it.

Once you have it deleted, run Ad-aware 6 run the update wizard to get the latest refference file.and then scan & fix all that it finds.

then run spybot 1.3 make sure you run the update wizard for it to get the updates then Run the scan fix all it finds, after that run CWS shredder and it shouldnt find anything then..

Reboot after you have done all this, once rebooted open internet options in Control panel and set your Browser back to whatever home page you had now you are free and clear of this NASTY Thing Hope this helps .

Post a Hijackthis Log also after you have done all this so people can help you with anything that's left over:

#4 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 June 2004 - 10:35 PM

I don't have windows xp so does findall still work for me? I'm running a windows 98. Is there another program that does the same function?

#5 Blue Dragon

Blue Dragon

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 June 2004 - 09:11 AM

(first post here btw! I should be congratulated)

I do computer repairs. In the last two weeks I've fixed this on 3 computers - mostly using the procedure The Homie detailed. This is in response to ArkImpulse and his question about 98 as opposed to XP.

The only purpose for the findall is to ferret out the name of the offending dll file. However, if you can't use it, you will still be able to figure it out with RegLite. Just go to the key he mentioned:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

I suppose its POSSIBLE this key could be used for legit "AppInit_DLLs", but in my limited experience, the only entry you're going to find here is your bad file.

Thats it - all I had to say on that. But a question.

Trying to figure out WHEN this thing gets recreated after supposedly cleaning with CWShredder. Based on the key name, it sounds like the nasty .dll is some sort of App (Application) Init (Initialize? Initialization)? DLL. Therefore, (guessing here) it runs when an application is initialized - started up? When an application is started? Would make sense based on my experience with this trojan. You can clean it but shutting down IE then starting IE again, it reappears.

But the key doesn't specify IE anywhere in it. Does it run on ANY application "initializing"? Just curious if anyone knows. I'm not going out to get this damn thing again to test it out.

#6 Blue Dragon

Blue Dragon

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 June 2004 - 09:16 AM

...er... um... :dumb:

The key... er... probably wouldn't have "Windows NT" in it for Windows 98 would it. Heh... of course not. Two I fixed were running Win98. I believe the key was identical but "Windows" instead of "Windows NT" in the key...

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows\AppInit_DLLs


:whistle:

#7 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 June 2004 - 09:48 AM

Ummmmm heres another problem, the address you have given me....the address leads the CurrentVersion, it doesn't say windows anywhere...

#8 Blue Dragon

Blue Dragon

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 June 2004 - 10:12 AM

You are correct. There is no such key for 98. My apologies. I followed a procedure I found somewhere and I DEFINITELY ran RegLite as part of it. However, there was no such key so there was nothing there to remove. I know I also had to boot into Safe Mode and run Adaware, Spybot and CWShredder while in Safe Mode for Win98. On more than one support site, I've read that simply running CWShredder under Safe Mode on Win98 will remove it, but I did not have the time or patience to risk going through it all again so I did EVERYTHING asked.

But you are right, there is no such key for Win98. Consider that a GOOD thing!

#9 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 June 2004 - 12:59 PM

You are correct.  There is no such key for 98.  My apologies.  I followed a procedure I found somewhere and I DEFINITELY ran RegLite as part of it.  However, there was no such key so there was nothing there to remove.  I know I also had to boot into Safe Mode and run Adaware, Spybot and CWShredder while in Safe Mode for Win98.  On more than one support site, I've read that simply running CWShredder under Safe Mode on Win98 will remove it, but I did not have the time or patience to risk going through it all again so I did EVERYTHING asked.

But you are right, there is no such key for Win98.  Consider that a GOOD thing!

Well then.....should I try that? Start windows under safemode and run CWShredder, adaware, and spybot?

Edited by ArkImpulse, 22 June 2004 - 01:00 PM.


#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 22 June 2004 - 02:38 PM

The_Homie and Blue Dragon,

Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you. :)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 cowtooth

cowtooth

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 June 2004 - 04:04 PM

I had the SearchX virus on my computer with windows 98 a couple of weeks ago and think I have managed to remove it now. There appeared to be a hidden file that kept reloading it so it kept coming back. In Windows 98 it was in the c:\windows\system directory and viewing that directory in windows explorer would not let you see it. By going into the dos prompt and going into that directory (i.e. typing 'cd c:\windows\system') then typing 'dir/p *.dll' you can see all the dll files. The bad dll file was visible in dos and I knew it was that one because of the date it was generated. I also did a search of the internet to find out if the dll was valid or not. However, in order to delete it you have to reboot the computer into dos mode. Go into the c:\windows\system directory and type 'del xxxxx.dll' (in my case the file was hlp.dll). I rebooted into safe mode and ran CWshredder, adaware etc and a message came up that the file could not be found. It caused me a couple of weeks of real hassle but thankfully the symptoms seemed to have gone for good now

#12 Blue Dragon

Blue Dragon

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 June 2004 - 04:04 PM

Thx! Sounds interesting. I applied.

To ArkImpulse: Definitely! You mean you haven't yet?!

#13 ArkImpulse

ArkImpulse

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 09:21 PM

Thats odd.....it's not turning my homepage to about.blank anymore....do you think I could have deleted it without knowing it? lol




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button