about:blank cws.searchx...what a...

Discussion in 'adware, spyware & hijack cleaning' started by Leburn, May 3, 2004.

Thread Status:
Not open for further replies.
  1. Leburn

    Leburn Registered Member

    Joined:
    May 2, 2004
    Posts:
    2
    Hi, I have the same problem as shown in other thread. When I run cwshredder.exe it inform me that it remove cws.searchx. This without success because it comes always back. WOW this is weard how it goes. Can you help me to get rid of it please.

    I have install SP1a cause I red somewhere that this cws.searchx was using MS virtual machine and on SP1a it was deactivated...it seems that nothing change.

    Othe point, I ran find all.bat and it finds // F:\WINDOWS\System32\HLPCK.DLL +++ File read error // dont ask me how to find this file cause I can't find it...

    I followed the two first steps and now I'm proceeding the last one.

    As ask, I use ad-aware for the first step. Boy I had to perform 3 times the scan before it takes out all spy on my computer.

    Now is my datas from hijackthis...
    Logfile of HijackThis v1.97.7
    Scan saved at 21:58:56, on 2004-05-02
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    F:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    F:\Program Files\Canon\MultiPASS\mpservic.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\System32\nvsvc32.exe
    F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    F:\WINDOWS\anvshell.exe
    F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    F:\WINDOWS\SOUNDMAN.EXE
    F:\WINDOWS\LOGI_MWX.EXE
    F:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    F:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    F:\Program Files\Belkin\Nostromo\nost_LM.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Documents and Settings\Bruno\Bureau\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: (no name) - {A92A1D84-BD3D-44F6-875C-219858FEC8B2} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [AVG_CC] F:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Opware12] "E:\ScanSoft\OmniPagePro12.0\Opware12.exe"
    O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Loadout Manager.lnk = F:\Program Files\Belkin\Nostromo\nost_LM.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
    O9 - Extra button: Créer un Favori de l'appareil mobile (HKLM)
    O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... (HKLM)
    O9 - Extra button: Recherche (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7281712963
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gun20030.server
    O17 - HKLM\Software\..\Telephony: DomainName = gun20030.server
    O17 - HKLM\System\CCS\Services\Tcpip\..\{60162DC7-D695-49B5-857A-5DD698338387}: NameServer = 192.168.0.200,192.168.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gun20030.server
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gun20030.server
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Leburn,

    The first step to do now is make that file visible on your PC. Then we are gonna do some editing and try to nuke it, so it will prevent re-infection.

    Download http://www.resplendence.com/reglite

    -Run reglite and go to this key :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    -Rename the Folder Windows
    to NotWindows (highlighted purple folder
    in the left hand pane of reglite)

    -Click "AppInit_DLLs" again and clear the data value:
    C:\WINDOWS\System32\HLPCK.DLL <- delete this line ,
    'Apply' and 'ok' to set.

    -Rename the NotWindows folder back to its
    original name Windows

    -Restart computer

    Please inform me whether you see the hidden dll visible now in the system32 folder (HLPCK.DLL )

    Do not take any action yet, just inform us whether it's visible!

    Thnx

    Cheers,
     
  3. Leburn

    Leburn Registered Member

    Joined:
    May 2, 2004
    Posts:
    2
    No I still not see the file HLPCK.DLL

    Thanks for your help, I'll keep reading this thread Unzy...
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.