Variant 38: CWS.Searchx - About:blank
http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx
If "about:blank" is your issue, follow these steps laid out by
Mike Burgess, MVP :
" Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.
Download: CWShredder (***NOTE: as stated above, if you already have
v.1.57, skip this step***)
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.
Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.
Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.
Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.
Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.
[Step1]
Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:
Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.
[Step2]
Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)
[Step3]
Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows
Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.
IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.
[Step 4]
Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)
Open Winfile
Navigate to System32 folder.
Click File (up top) select: Move
Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
Note: where "<filename>" = culprit dll from "output.txt"
Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.
At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)
[Step 5]
Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt
[Step 6]
Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next
Note: where "<filename>" = culprit dll from "output.txt"
Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.
Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"
[Step 7]
Run CWShredder and reboot.
[Step 8]
Run Ad-Aware
Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html
Launch the program, and click on the Gear at the top of the start
screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your
installed hard
drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
After the above post a fresh [HijackThis] log [to an appropriate
forum] ...
--
Disclaimer: Renaming the "Windows" key modified some security settings.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Right-click the "Windows" key, select: Permissions
[Example]
Before renaming the "Windows" key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"
--
[Example]
After Renaming the key:
"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--
You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.
Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.
Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control". "
MowGreen [MVP]
*-343-* Never Forgotten
Richard said:
Hello,
I've tried everything to get rid of cws.searchx including running
cwshredder, search and destroy, adaware, and hijack this (and deleting
appropriate entries); deleting regsitry entries; and every other thing you
can think of, and the darn thing keeps coming back within 20 minutes of
getting rid of it. I've tried running these programs in safe mode to no
avail. I'm using all the updated versions of each program.
Could someone give me some advice on what to do next? I really don't want
to have to reinstall windows or anything drastic like that. I appreciate
any help you guys can give me.
Thanks
Richard