Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
CWS.Searchx seems to be a very tricky one to get rid of.
I have used Ad-aware 6, Spybot Search & Destroy, HijackThis! and CWS Shredder. All programs were fully up to date.
CWS Shredder will remove the Searchx but will keep coming back, after a couple hours. And again it will keep coming back. I was wondering if anyone else has this particular CWS hijack and if there are exact steps to remove this nasty trojan.
Thank you.
the cws searchx probably hooled onto one of your startup files causing it to be reloaded. if you post your hijack log people will help with which ones to delete.
Report Offensive Follow Up For Removal
Tuff call - For a option I recommend downloading 'STINGER' it will scan for 41 different current worms and virus's. BE SURE TO READ THE INFO IF YOUR ARE USING WINXP or ME.
Info if you are running WinXP or ME:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm'STINGER' DOWNLOAD:
http://vil.nai.com/vil/stinger/GOOD LUCK -
LEEP.S.
YOU MIGHT ALSO UP YOUR SECURITY AND PRIVACY SETTINGS: RIGHT CLIK MY COMPUTER, THEN CLIK PROPERTIES, THEN THE SECURITY TAB, READ AND RESET THE CONFIGURATION TO MEDIUM HIGH FOR STARTS. ALSO, GET YOUR 'CRITICAL' WINDOWS UPDATES HERE: http://windowsupdate.microsoft.com/GET A GOOD ANTIVIRUS PROGRAM, AVG FREE EDITION, IF YOU HAVE NOTHING - http://www.grisoft.com/ AND KEEP THE DEFINATIONS UPDATED EVERYDAY - Let me know if this gets you back on track -
LOTS OF LUCK,
Lee
This worked for me:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.
The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."
(http://www.dslreports.com/forum/remark,10167490~mode=flat)<--page
Thanks steve1308, I really do appreciate the info. I have been at battle with this infection for quite some time and hadn't found a cure. My Laptop and desktop computers were both infested. Most info that I received from other sources, were very complex and "fixed" part of the problem. Thanks again!
How do you access the registry keys in Windows 98? Also these seem to be some time comsuming procedures. Are there any shortcuts? Will any Norton or Mcaffe do the job for me? This is a very annoying bug because I am very careful about the sites I visit so where is it coming from?
I just wanted to add some bits to steve1308's comments which seem to have worked for me...
Basically I followed steve1308's advice, but everytime I closed RegEdit, the AppInit_DLLs key was back (and of course CWS as well).
The way I seem to have solved this is by following steve1308's first two steps (renaming folder and deleting AppInit_DLLS key), but then rebooting.
When the machine started up again, my Norton Anti-Virus picked up "wind.dll" and nuked it. This seems to have been the root of the problem. Previously it had been impossible to delete before because it was loaded as a module into IE, then seemingly deleted (or otherwise hidden) once IE stopped running.
I then renamed Windows2 back to Windows and so far no sign of the AppInit_DLLS key.
I had been alerted to the existence of wind.dll by some advice at http://www.spywareinfo.com/~merijn/cwschronicles.html (specifically the Manual Removal Instructions under CWS.Realyellowpage), however I could never find this file on my system (even though it was showing in the logfile generated by these steps. I believe this filename is random, so it may also be different on other systems.
It appears the registry key in steve1308's advice was the culprit for keeping wind.dll hidden. With that key disabled, standard anti-virus software removed it in seconds.
This was on Windows XP I might add.
well i just did all those follow up and none of them worked for me. I deleted it from the windows folder (apps.dll?) and it didnt come back but i still get the searchx thing. im running adware, stinger, cwshredder, and i had some ppl helping me wit the registrar and other stuff. After all this theres still no luck. any other options for me?
Thx steve !! It works !!
I can install the microsoft xp patch KB828741 now. Before it didn't work with this searchx.
I have had no success like many others in removing the CWS.searchx trojan spyware. I have used every available tool listed, removed suggested registry entries, and cussed a lot. Does anyone have any further suggestions to get rid of this crap. Really getting tired of seeing an unwanted "Search for" page everytime I open IE6.
TAP
Two thoughts:
How do you identify the DLL? it is obsfcated in the regestry entry, Is it actually hex data? If so you could translate it to give the dll name, then unregister & delete the dll to start, and clean the registry of that?Second, What is the liability of Searchx? Since it would appear that they are behind all of this.
Thanks a lot steve1308!
This actually fixed TWO problems on my computer. The searchx dll-file was named msoe.dll, a dll.file needed by Outlook Express. Now I can finally check my mail using my own computer, and have got rid of the "search for..." page along with the antispyware pop-ups.....
Damn those random file names......
Removed cwssearchx on win98se. It created a system hook of c:\windows\system\hlpdocm.dll hooked to rundll32.exe which ran at startup through tweakui.. No program would remove it for more than a few hours, always came back. It Even disabled some programs like freecell and gave false invalid page fault errors.
Simple fix, Boot to dos run del c:\windows\system\hlpdocm.dll
Reboot windows. Error msg failure loading hlpdocm.dll.now run a reg cleaner like system optimiser pro, others may work also. Since the dll no longer exists all registry entries refering to it will be invalid and can be found and removed by the reg cleaner.
reboot. No error msgs. All programs work again. And no redirects of browser
Of course delete the hidden file particular to your system
gjm
hey steve1308
I had teh exacly same problem
I did exactly as you sen and now meh pc is bung..... it wont boot into windows at all
:|
Hi there
I found this board while doing a search for "cws searchx". I, like many of you, have somehow managed to be hijacked by it. I've read your advice on how to get rid of it. Especially Steve1308's. Here's the problem I'm having. I am NOT a computer wiz and I don't know how to find these files that I have to rename. Could someone please treat me like a five year old and take me thru the process of getting rid of this trojan STEP by STEP? I would greatly appreciate any help.
newdity
Oh, by the way.
I'm running Windows 2000. Please post your response (if any) on this board for everyone to see. Thanks in advance.
newdity
I'm the same as newdity. I'm not a computer wiz, and I'm having problems trying to get rid of CWS.Searchx.
I'm running Windows XP
Any help would be greatly appreciated!
Actually, I may have found a solution...
http://forums.subratam.org/index.php?showtopic=583 has a pretty easy-to-follow solution that appears to have worked.
Here's hoping anyhow! I'll give it a few hours to see if it comes back again, but hopefully it won't.
Steve1308
steve1308
I am stuck, somehow an HLM\Software\Microsoft\Windows2 entry containing all of desktop information was created when I renamed the HLM\Software\WINNT\Microsoft\Windows folder
A new HLM\Software\Microsoft Windows entry containing almost no info exists now and I can't rename it or delete it. Do you have any suggestions?
I also have the csw searchx virus and i have windows 98. When i try to loacate the appinit.dll's in the registry instead of getting this:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
after the CurrentVersion part there isnt a windows folder, there are 2 sub folders called drivers.desc and driver32. can someone tell me where i can find the appinit dll files???
I have the exact same problem as Jel does!
I have Windows 98SE, and when I went through the registry, the windows folder was missing in the Current Version, and all I could see were the two drivers.
Also, this bug runs -ONLY- whenever I double click on AIM (AOL Instant Messenger). I can do anything else on my computer, but whenever I double click AIM, this CWS.Searchx thing reinvents itself. As was said before, no matter how many times I get CWShredder to do it's thing - it's never enough.
Also, because of this program (or so I believe) I cannot run Registry Mechanic. Due to either a bad memory sector, boot error or virus. I'm guessing it's the "virus" option.
Again though, what do us Window 98er's do when that Windows folder doesn't exist?
Again, thanks for all your help.
Steve 1308, you are awesome.
I struggled with CWS for a few days. Lots of recipes of how to get rid of it, but nothing worked. Your method worked and within 10 minutes my PC was clean.
Brilliant. Thanks.
I concur with Tobes, Steve1308, you are awesome. Not only did your fix clear up the visible effects of CWS, but also the PC is much faster and it got rid of some errors that must have been related.
Thanks!!
Newdity, from the START button click RUN then type in REGEDIT . From here you can get to the folder Steve1308 talks about. Be very CAREFUL and do EXACTLY what Steve1308 says. This trogan nearly drove me crazy because WinPatrol would warn me every 3 min.
My sincerest thanks to Steve1308, for
preserving my sanity.P.S. I'm running Windows 2000.
I am quite new at this, but steve1308...do you mean totally delete the appinit_dll from the registry? Right click, DELETE or does it serve a purpose and need to stay? I want to get rid of this damn spycrap for good. Anybody? I have tried HJT, AdAware, Norton. It just keeps coming back.
I am on XP PRo.
Greensled. Delete AppInit.dll with extreme prejudice.
Cheers!
HI Neptune,
Thanks for teaching me how to get to the registry. But guess what? I did EXACTLY as Steve1308 suggested. I found the file, renamed it, and deleted the Appinit_dll. And the damn CWS Searchx page is STILL THERE. I even ran Adaware and Hijack this to make sure. Even after rebooting I checked the registry again to make sure Appinit was NOT there and it's gone. SO this thing has found a way to come back EVEN AFTER it's BEEN DELTED. HELP!!! Any suggestions? Please advise. Thanks in advance.
newdity
If you're running Microsoft office programs, run Office Update to block as many security holes as possible. Then use the CWS shredder and Spybot S&D. This worked for me after much messing around.
 |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
