Jump to content


Photo

can't get rid of CWS.searchX


  • Please log in to reply
11 replies to this topic

#1 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 09:19 PM

my main concern is the removal of cws.searchx or whatever cws trojans are present. i can run cwshredder all day long, and everytime it says the cws.searchx is removed, but anywhere from 5 minutes to an hour or more, the cws shows up as my homepage again.

also any other "problems" that can be pointed out will be very much appreciated.

here is my log

Logfile of HijackThis v1.97.7
Scan saved at 6:50:13 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\J. Bedwell\Desktop\hijackthis1977\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\J22A2~1.BED\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {EB1526B7-7DAA-4A16-9C1B-1D599710777A} - C:\WINDOWS\System32\lip.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ISOCraxtion-v31\OCX\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8154.6329050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

#2 The_Homie

The_Homie

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 21 June 2004 - 09:49 PM

There have Been many, many, many Of us who got jacked By this S.O.B Hijacker.
I just got RID of CWS SEARCHX myself..Thx from some peeps here and a little messing with it my self.

First things first get a file called REGLITE @ www.resplendence.com/download/reglite...

and get a file called find all.Bat @ http://freeatlast.10....com/index.html

And if you dont have these 2 file's yet get them Ad-aware 6 build 181 & SpyBot Search And Destroy 1.3 both can be Downloaded from www.Download.com.

And CWS shredder...


Ok Time to find the random .dll that the Trojin/spyware use's
Open findall.bat and run it, it will tell you the culprete file .dll your looking for write it down, you can also find the file by doing a defrag & the file it cant move is the 1 you need to write down.

Ok once you have the .dll name as mine was d3dhii.dll open REGLITE and copy and paste this in the address bar:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs and hit GO.

In the left pane, highlight "Windows" then right-click it and choose Rename. Change the name to NotWindows it will ask you if you want to make the change, click Yes.

Now, in the right pane, double-click the AppInit_Dlls value and highlight and delete the C:\WINNT\System32\d3dhii.DLL value in the value box(remember that you wrote the name of the .dll down as mine was d3dhii.dll your's will be differnt.

then hit Apply and Ok. Right-click "NotWindows" in the left pane, choose rename, and change the name back to Windows, then ok that change, close Reglite and reboot.

After rebooting, open the C:\WINNT\System32 folder in Explorer and look for THE .DLL file you found with findall.bat, which should now be visible. If it is, cut and paste it into a different folder i move mine to a folder called JUNK @ C:/JUNK, then try to delete it (You may or may not be able at that point.

you will need to reboot into safe mode by rebooting your comp and pressing F8 when in safe mode find the folder you moved the .dll file to and you will have to fidle with the premission's of the file but once you are able to set premissions for it you will now be-able to delete it.

if you keep getting the premission's denied error or simlar error dont sweat it happen to me many time's just keep messing with the premission for that file and it will finaly take and you will beable to delete it.

Once you have it deleted, run Ad-aware 6 run the update wizard to get the latest refference file.and then scan & fix all that it finds.

then run spybot 1.3 make sure you run the update wizard for it to get the updates then Run the scan fix all it finds, after that run CWS shredder and it shouldnt find anything then..

Reboot after you have done all this, once rebooted open internet options in Control panel and set your Browser back to whatever home page you had now you are free and clear of this NASTY Thing Hope this helps .

Post a Hijackthis Log also after you have done all this so people can help you with anything that's left over:

#3 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 01:00 AM

ok i did everything in the above post as The Homie suggested. here is my new hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 12:57:37 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Documents and Settings\J. Bedwell\Desktop\hijackthis1977\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ISOCraxtion-v31\OCX\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8154.6329050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

#4 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 09:23 PM

bump

#5 The_Homie

The_Homie

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 June 2004 - 10:31 PM

Fix these 2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

#6 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 10:55 PM

ok, once again, i have done what The Homie suggested, by the way, my searchX problem APPEARS to be gone, i just hope it really is. here is my new log.

Logfile of HijackThis v1.97.7
Scan saved at 10:54:18 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\J. Bedwell\Desktop\hijackthis1977\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ISOCraxtion-v31\OCX\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8154.6329050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

#7 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 23 June 2004 - 01:54 AM

bump

#8 smokingcat

smokingcat

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2004 - 02:31 AM

This is to The Homie. Since no one has yet replied to my post from 6/20/04, I thought I'd take a stab at your instructions on how to remove this viral piece of work spyware.

Since I know just enough about registry editing to be dangerous, I have a couple of questions.

1.Which Windows folder am I supposed to edit to NotWindows? I am assuming that it is the folder which I am supposed to type in the offending dll. Could you clarify?

2. You mention that once you get to the point where you need to delete this dll, one must mess around around with the file permissions to get this to happen. Could you give some specific instructions on how to do this? Unfortunately, someone does this for me at work, so it something I am not familiar with messing around with file permissions.

Thanks much!

smokingcat

#9 dxb

dxb

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 June 2004 - 09:01 AM

After rebooting, open the C:\WINNT\System32 folder in Explorer and look for THE .DLL file you found with findall.bat, which should now be visible. If it is, cut and paste it into a different folder i move mine to a folder called JUNK @ C:/JUNK, then try to delete it (You may or may not be able at that point.

Hello,
I have the same problem.

I followed the frist steps and made the .dll visible but I can't move the .dll out of the system23 dir.
What can I do?

thx a lot

#10 bedwejs

bedwejs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 June 2004 - 12:20 AM

well, i'm not sure about the file permissions, but i didn't even have to use safe mode. first i tried to delete the file where it was and that did not work. so i just dragged it out to the desktop. then i could do whatever i wanted to with it.

i think when you boot in safe mode however it is much easier to move/delete stubborn files. try a google search maybe on file permissions and changing them.

#11 fred99587

fred99587

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 June 2004 - 12:26 AM

Hello,

I followed the exact same instruction yesterday and after cutting and pasting the dll file into another folder I had no problem deleting it.

#12 dxb

dxb

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 08:57 AM

Ok, I managed to delete the .dll file with this program:
http://www.gibinsoft...eutil/index.htm

I hope that got rid of this

thx a lot!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button