Broadband Tech > Security > Security > cant get rid of CWS.Searchx

cant get rid of CWS.Searchx

I noticed in a thread earlier that there is a new variant that there is no solution to yet. I hope that is not the one you have.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

can u give me a link to that post ? I think it should be the same. I forgot to say I also tried highjack this.

said by weeirdo:

---

can u give me a link to that post ? I think it should be the same. I forgot to say I also tried highjack this.

---

reply to weeirdo
According to what I read at Merijn, you may have something else installed that's interfering with removal. Go to »www.spywareinfo.com/~merijn/cwsc···#searchx for more information on CWS.Searchx.

yes I read that in merjin and checked everything. Nothing else but CWS.SearchX Merjin also says it's not that hard to remove which is true because cws shredder removes it in 2 seconds , however it comes back again and again. I have to run cws shredder every 5 minutes or so.

What OS are you on?

Can you please download this file - »www10.brinkster.com/expl0iter/fr···-All.zip unzip it to a folder and then run the Find All.bat file from that folder. It will sit on a blank screen for a few moments, then open a text file in Notepad. Please copy and paste the contents of that file here.

Please also post a Hijack This log at the same time.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

I am running WinXP home.
I did as u said and there was a file which was locked (CTLL.DLL). It was such a die hard ! first of all I couldnt even see it in my system32 (I have enabled "view hidden files" and disabled "hide system files") even under safe mode. Fortunately I have 2 windows' on my computer and I was able to see it while running my other windows but still wasnt able to delete it. To cut the story short after half an hour I was able to delete the file but I had to leave home coz I was already late for college I will post feedback when I get back home

thanks a lot Zope

cws.SearchX is gone for sure , that was the culprit file thanks again Zupe

Is ctll.dll the problem in each case?
I have the same issue with searchx as you guys discussed, need to solve it too.
When I run a file search it doesn't some up.

The file differs each time, please follow the instructions I gave above and post the result log from running Find All.bat together with a Hijack This log in a new thread.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

reply to weeirdo
Sounds like you were infected with the same thing I was: »The NASTIEST infection I have ever seen, help.

I had to boot from Bart's PE CD to delete the damn file!
--
The day after tomorrow. Where will you be?

reply to weeirdo
I have the same problem, but I can't delete the file CTL.DLL - How do I do this? I have Windows 2000 and WindowsXP n my system...

reply to weeirdo
Here are my log files ... PLEASE HELP ME !

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2479859D-FAF5-4673-9878-3BCFA5C6740F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{71922FAE-B010-487C-80C5-21D91D6229F1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{71922FAE-B010-487C-80C5-21D91D6229F1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



Logfile of HijackThis v1.97.7
Scan saved at 7:51:03 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Bryan Rego\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gebd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2479859D-FAF5-4673-9878-3BCFA5C6740F} - C:\WINDOWS\System32\gebd.dll

regz12 , you have the same thing I had unfortunately. And the only way of getting rid of it is to boot to another operating system and delete the super hidden file. I don't know of any other way currently.
--
The day after tomorrow. Where will you be?

reply to weeirdo
Hi. Some comments:

1) Make sure you scan with Ad-aware reference file 01R301 03.05.2004.

2) Use our "full scan" settings found at »www.lavahelp.com/howto/fullscan/ to ensure a complete system scan.

3) If still on your system after this, submit the DLL file to us via »submit.lavahelp.com (the fastest way to get it into our review queues) and to »Security »I think my computer is infected or hijacked. What should I do? such that the community may benefit.

Thanks,

Aaron
--
Aaron Hulett - Chief Research Officer | Lavasoft Research & Development | »www.lavasoft.de

If you have WinXP, you should be able to use the "Recovery Console" from the XP installation CD to get rid of it. Use the tool indicate by Zupe above to find the spawning .DLL. Then use Recovery Console to delete the .DLL(s).

1. Put the Windows CD in the tray and reboot the computer..

--> You should get a "press any key to boot from Cd" message, so do that.

( If this does not happen, change your BIOS configuration to boot from your CD drive first.)

2. It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing "R".

3. You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.

4. Administrator password is next: is probably blank so just press enter, unless you set one in which case enter it.

5. With all that done you'll end up with a "C:\Windows>" prompt.

6. Now to delete the .dll file(s)s (this is assuming these DLLs are in the System32 subdirectory of your Windows installation folder):

---> Type del c:\windows\system32\name_of_the_dll_file

(where name_of _the_dll_file is the .DLL to delete)

Repeat for each .DLL to delete.

7. When that is complete, remove the CD from the tray and type Exit and you will reboot.

Rescan with Ad-aware and let it remove any registry entries that might be asociated with the .DLL(s).

------------------------------------------------

As the previous response suggests, it also might be helpful to send the .DLL to the folks at Ad-aware so they have it covered in the future.

reply to regz12
regz12 , first, that's not a complete Hijack This log, we'd need to see the full log. Second, from running the file I posted earlier, was there nothing in the results above what you posted? It will usually list the name of the "bad" hidden file there if one is found.

If that didn't list anything, you can try downloading and installing Reglite from here: »www.resplendence.com/download/reglite.exe

Start the program and paste the following into Reglite's
browser address bar and click the Go button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

In the right pane, find the value "AppInit_DLLs" and double-click it. Copy and paste the output of the Size and Value fields that show up in the next box here.

ahulett , are you suggesting that Ad-Aware can now deal with this? If so, that would be great news, but from what I've seen so far, using, Ad-aware, CWShredder or any other automated removal tool before removing the hidden dll (assuming it's present, there may still be versions where it apparently isn't and this could be one) just ends up causing a bigger mess. If that DLL isn't removed, the other entries just return with new names, either right away or after a few hours, leaving even more to cleanup.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

reply to weeirdo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

No Data
Type: REG_SZ
Size: 30

reply to weeirdo
Sorry i forgot to list the value:

c:\windows\system32\d3dop.dll