Infected CWS.Searchx

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pgonzereli, Jun 28, 2004.

  1. pgonzereli

    pgonzereli Private E-2

    i've been trying to kill off this spyware for days now using my updated Adaware, Spybot, and CWS Shredder utilities - yet the problem returns by the end of the day. After running Hijackthis, i got a return of a few things, and have seen many people posting the results for analysis. Below are the findings of Hijackthis. i dont know what im supposed to delete, etc

    additionally, is the CWS.Searchx spyware known for creating false links on various websites where no links should be? if not, i think i have other spyware that the utilities also cant kill.

    please help,
    pete

    hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:16:58 AM, on 6/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Directory 2 for AboutBuster.zip\AboutBuster.exe
    C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\iSearch\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    pgonzereli, Jun 28, 2004
    #1
  2. dirtfarmer

    dirtfarmer Private E-2

    Eradication of CoolWebSearch "CWS" variants infecting computer due to
    the following conditions present at the time of infection:

    “This is a growing family of Trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

    The variants of this Trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.”

    JAVA VM was removed, SP1 was left intact and Sun Java was installed per the information below:

    If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Remove the MS Java VM completely and replace it with the newer, safer Sun Java VM.

    As a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their MalWare. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.

    Complications in removing CWS.SearchX described below by Kephyr.com:

    Overview
    Searchx BHO is implemented as a browser helper object and redirects your Internet Explorer browser to search.cc. If you make a search at searchx.cc, the results will be displayed at cx.linklist.cc. Searchx BHO uses random file names and class ids.

    Files
    [random].exe

    Uninstall procedure
    Unknown

    The following posted information worked for removing CWS.SearchX on some infected computers, but I needed to also do the step in the final paragraph:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
    The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.
    1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
    2. Now delete the AppInit_DLLs key under the Windows2 folder.
    3. Hit F5 and notice that AppInit_DLLs doesn't come back.
    4. Rename the Windows2 folder back to Windows.
    Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

    On this computer, there was in infected .dll file in the Windows\System32 directory called wdmdpi.dll which was detected by Grisoft AVG (Installed) and not Norton or McAfee. AVG reported the infection as BackDoor.Agent.BA. A review of this directory in Windows showed no such file exists. Numerous posts in various online message boards criticized Grisoft AVG for reporting false information. The complete opposite is true. The file did exist and was the Trojan itself. It was discovered by using the Microsoft Windows Recovery Console, and manually deleted. The operating system was secured and the Trojan was eradicated.
     
    dirtfarmer, Jul 6, 2004
    #2
  3. Christoph

    Christoph Private E-2

    I did this and I am pretty sure I have defeated the CWS variant Searchx. It been about 24 hours without any problems.
     
    Christoph, Jul 7, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds