Hardware Analysis - Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware+removal

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

sandy7m — 2004-08-08T20:25:41-05:00

Reading through the original posting I instantly recognised www.coolsearch.

That is not its real name. Basically it is a very comprehensive suite of small programs. All together it is one hell of a spyware program that hijacks internet explorer among other things. To date I have found nothing that will remove it. That and other problems have, made me decide to get the hard drive wiped clean at the next opportunity. This is really the only sure way. This piece of spyware has "spread tendrils" through Explorer to make it very hard to remove. It also changes and adds some files to the system32 folder which, I have found out, is something that you can not mess with. What I have also found is that if you do not get rid of it completely, it will send Explorer back to the website to reinfect your machine.

This spyware has utilised weaknesses in Internet Explorer that are only now being addressed by Microsoft. For safer surfing in the future use Opera. It is a no frills browser that has become very popular where I am working (Mexico). It seems to be immune to the spyware problem and most of my work colleagues use it exclusively.

Now to the other name I recognised, or rather the URL. I refer to vn-msie. This is a real piece of evil marketing in motion. The spyware that has lodged in your computer is designed to slow it down without making apparent what is happening. This (and other problems the spyware causes), is meant to lead you to this guys pop-up advertising for the removal of spyware. The cheek of it. He has crippled your machine and then wants you to take his software to remove his spyware. Anyone read the words "protection racket" in this scenario.

For one more bit of bare faced cheek look at the URL (vn-msie). For msie read MicroSoft Internet Explorer. Now he is trying to catch the gulible. No matter how tempted you are do not go to his website to rid yourself of this problem. Word has it that the programme you download has more pestware in it that will kick in at a later date, and of course, guide you to his website for more software to remove this latest problem. Getting the picture yet.

I have a brother inlaw who is the original computer geek and makes his living setting up computer networks. He has had a go at removing this but gave up after a determined struggle. He is an expert in his field and his advice for the future was as follows -

1. By the virtue of the game the pestware writers are always one step ahead of the antivirus writers (include spyware in that description). So don�t expect immunity no matter how much protection you have and how much it cost.

2. Always keep your files (spreadsheets,pictures,movies, etc) safe on an external hard drive and scan it regularily for viruses. I do that already.

3. While browsing the internet have the external hard drive unplugged. There is no current reason behind this but he thinks this is where the next stage of "the war" will take place.

4. At the moment, viruses and spyware do their dirty work on your C drive. Always be in a position to say to hell and format if things get bad. Nothing has been written yet the beats C:/ Format.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

Joe Suave — 2004-07-07T20:04:04-05:00

Searchx removal information

This worked for me:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.
The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

JIM LIN — 2004-06-09T06:02:17-05:00

I've killed this hijack by use of a program named CWShredder.exe.
It's very easy. Just download it and run it (under protect mode).
Remember, close all the IE6 and windows before running this program.
You can download it from here
http://www.zerosrealm.com/downloads/CWShredder.zip

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

Dave Demp — 2004-06-03T23:23:52-05:00

This is it. I have cleaned SEARCHX completely; here's how to make a good rebuild for Win ME.
Might even work with 98 also!

Ok here goes, I can't believe I had to register just to post this. But I got rid of searchx because of some of the tips here, so returning a favour, thanks people, I couldn't have done it alone.

I am running windows ME with all the MS upgrades except IE6, which wouldn't install until after I removed searchx.

1/ Down load cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/files/CWShredder.exe)
2/ Down load reshacker.zip (download it from http://delphi.icm.edu.pl/ftp/tools/ResHack.zip/)
3/ Down load a registry checker. I have Norton Utilities, so if you have it, that will do.
Unzip both programs, but do not run them yet.

3/ Down load an alternate web browser, I used Opera, not a bad bit of kit http://www.opera.com

4/ Now delete Internet Explorer.
I know you can not remove the normal way through "add/remove", just go into the folder crogram Files\Internet Explorer and delete it all.

5/ Then go to C:Windows\System and delete blank.htm

6/ Start the pc in safe mode. F8 on boot and select option:3 Safe Mode.

7/ Run cwshredder.exe

8/ Go to your trashcan and empty it.

9/ Run reshacker.exe after you use the scan, highlight each reg entry and select info. If it is reported as not being a normal entry, then tick it. Then click on fix to remove them.

10/ When they have been removed, click scan again and repeat the above. Do this at least three times.

11/ Go to Trash can and empty.

12/ Run your registry checker.

13/ Reboot and use Start/Settings/Control Panel/Internet Options. Make sure you clear the history and previous files and set default home page to something like google.com or yahoo.com.

14/ Open Opera web browser and down load latest explorer,�. 6 sp1 is the latest. Make sure you turn off all anti virus software and internet security software before you try to install it!!!!!!!!!!!!!!!

15/ Reboot, check internet options to make sure the default home page you put in is still there. If it isn't, you have to repeat the above.

If it's the same home page, you are back to normal I hope

If all else fails, just use Opera. It's a great freebie browser. Fast and friendly and seemingly unaffected by searchx.

Good Luck and email me if you get stuck david.dempster@lineone.net

Cheers
Davey

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-06-02T14:11:21-05:00

SOLUTION TO REMOVE SEARCHX AND/OR FREEYELLOWPAGE ADWARE (reposted with corrections):

1. Download and install Adaware 6.0 BUILD 1.81 (filename "aaw181.exe", ~2Mb) from http://www.download.com

2. Do not run the software until you've updated the reference list (step 3).

3. Download the latest reference list from the Adaware, unzip it, and copy it into the Adaware program directory (overwriting the current reflist.ref file). See: http://www.lavasoftusa.com/support/download/ and download the red-highlighted link (today there is a reference list dated 6-02 (more current than mentioned in my previous post).

4. Run Adaware with no other programs running (to be clean) and SCAN

5. Click the necessary NEXT button and select files to quarantine. If you've been quarantining files with other programs, Adaware may detect those quarantined files.

I am sure CWShredder will be updated soon to fix the searchx/freeyellowpage complex, (Merijn does good work) but for now, Adaware will quarantine the complex file(s). Essentially you should find two .dll files [one is the regenerator file (presumed to be associated with CWS-freeyellowpage), the other is the randomly generated file (the CWS-searchx variant)]. I'm not sure if Adaware fixes the registry appropriately, however, you may want to run Easycleaner (or other) to clean up your registry.

Reboot.

all the best.
S Parker

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-06-02T13:58:22-05:00

AND, by the way, after I posted this time, I did not see any infection.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-06-02T13:56:36-05:00

SOLUTION:

Download the latest build of Adaware (see http://www.download.com). The build number should be 1.87 or 1.97 (whichever, the name of the download reflects the build number). Then go to the Adaware website and download the latest reference list. (currently dated may 30,2004, I think). Scan with Adaware.

CWS-searchx.cc itself can be shredded with cwshredder (Merijn's software). However, if after using cwshredder, searchx reappears, then you likely have CWS-freeyellowpage which will continuously reload searchx. The reloader is a hidden dll file. You can locate it with prcview if you like, but Adaware, with the current reflist will do the job for you. I suspect that using WIndow's Find/Search function on the usual SYSTEM folder for *.dll will yield a comparative list of these hidden files. You can also see it with DOS/Command Prompt. If you remove this file manually, running in Safe Mode is the best bet.

I'm confident my infection is gone since the behaviour of my Iexplore process has returned to normal. (It doesn't hang any more once I close the IE window)

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-05-31T15:31:33-05:00

This website sucks.

Just as I posted my last post above, I was re-infected with the searchx variant. (ADMIN, take note)

Ok. For now, using the big bad band-aid approach on the .dll file using reshacker will have to do. If you're going to put a band-aid on the file, though, just use reshacker and don't worry about running all the other programs. It's a pointless waste of time. Just use reshacker and change searchx.cc to http://www.disney.com. ALSO create a blank.htm file in windows\system to prevent searchx.cc from being called if future .dll files are randomly generated. The guy that writes cwshredder must be asleep at the wheel on this one.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-05-31T15:20:59-05:00

To be honest, the solution you just posted can be problematic, since the .dll file you're altering with reshacker is a randomly-generated .dll file. In your method posted above, it's pointless to simply alter the behavior of this file since you then shred it with cwshredder (which should be done under Safe Mode if you want a clean system). Also, you do not mention how to remove the generator file (the file that generates the .dll file in the first place).

To make life simple (and educate the user along the way):

With Windows running in SAFE MODE (To enter safe mode, reboot your computer while either holding down the CTRL key or the F8 key -- depending on your computer manufacturer. You will get a prompt. Select the SAFE MODE option. Boot to Safe Mode, and conduct the following procedures.):

1. RUN CWSHREDDER with the "send to recycling bin...." option selected so you know what you're actually deleting! (see links elsewhere on this thread) It will identify the cws variant -- presumably searchx, tell you it was removed, and you will see the .dll file appear in your recyclying bin -- this does not happen if you are running windows in normal mode because you cannot delete the file in normal mode as it is running, plus you may find a "blank.htm" file in the recyclying bin.

2. EMPTY RECYCLING BIN

3. RUN HIJACKTHIS (see links to program elsewhere on this thread) Remove all the lines ending in "sp.html" (there will be several registry entries beginning with R0,R1, R2, etc...plus at least one more entry lower in the list).

4. In Hijackthis, also look for and remove DPF (download program file) entries (these lines may begin with ")16") which you do not know about. You should be able to easily identify valid entries, remove unidentifiable entries. For example, I use shutterfly photo/image service, and this is a downloaded program file I use directly with their online service. The searchx spyware seems to have a downloaded program file (this is the file I believe generates the random .dll) and it was HIDDEN from hijackthis on my PC. But remove all suspicious DPF entries to be sure.

5. MANUALLY REMOVE SUSPICIOUS DOWNLOADED PROGRAM FILES (~30kb, and unidentifiable) Go to C:\windows\Downloaded Program Files, and manually, right-click on suspicious looking files and select to REMOVE these kinds of files. Mine was about 30+kb in size (about the same size as the random .dll file). Note: If you happen to remove a valid file in this directory, you will likely be able to re-download the program file whenever you need to use the service associated with it. So I wouldn't worry too much about deleting good files. The file will not appear in the recycling bin -- once removed it is GONE.

6. CLEAN THE REGISTRY. Use EasyCleaner (I think it's linked somewhere on this thread, but search google for "EClea1_7.exe" for a good copy. Newer versions aren't any better, just have more functions.). This will remove any stray registry entries linked to the files you have removed, so it won't look for them during reboot. Remove ALL registry entries that EasyCleaner finds. I've used the program for a few years with no problems.

7. CHANGE YOUR HOMEPAGE entry in IE (I often use a link to a .html file on my hard disk, but google.com, yahoo.com, etc is good as well). My local .html file is quick to load and contains links to all my favorite sites (I hate the Favorites list!).

8. Reboot to Normal Mode.

As posted a couple entries above, up until yesterday I had this searchx infection for about a week and it returned several times. If you use the reshacker program, it will only modify the randomly generated .dll file which will remain active on your computer. In the message posted by the guy above, if you run cwshredder in NORMAL MODE it will not remove this .dll file, so it is best to run cwshredder in Safe Mode where the .dll file is successfully removed. So, if you were to later run cwshredder in safe mode (to remove a future variant, possibly even searchx itself) that .dll file will be removed and then regenerated the next day by the originating generator file. Once I removed the generator file (in C:\Windows\Downloaded Program Files) I haven't seen the searchx variant return today (but then again, there is always tomorrow).

Finally, as I mentioned in my last post, I created my own "blank.htm" file in the C:\Windows\System directory. If you open the source code of the searchx variant's start page, you will note that the page itself contains a javascript that runs searchx.cc\...... So if you cannot for some reason fix the searchx problem, create your own "blank.htm" file (even just a blank file with jibberish) and change permissions on the file to "READ-ONLY". It cannot be overwritten, and your start page will at least not auto-load the searchx.cc javascript. This is yet another "patch" of sort (similar to using reshacker on a randomly generated file). Just keep in mind that if you shred variants in SAFE MODE at a later date, it will remove the .dll file, and your reshacker efforts are wasted (perhaps you can also make it "READ-ONLY", but why bother when you can kill the originating program file, free up your system resources, and run a clean system?)

I guess some people like to just put a band aid on all wounds even if they lead to infection. I prefer to lick my wounds (actually tastes kinda nice. , then add a band aid if and only if necessary. The truth is we're all animals -- no matter how "holy" you think you might be. "Lick" the wound. (Note: "lick" has double-meaning in case some of you might be tech-guys from some other country

I've found other uses for the reshacker program.

Have a nice day.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

pradip vidhate — 2004-05-31T07:56:47-05:00

Hey guys there the perfect solution for searchx.cc homepage hijacking is given below

SOLUTION

01) download hijackthis.zip from (http://www.spywareinfo.com/~merijn/files/hijackthis.zip)
02) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/files/CWShredder.exe)
03) download reshacker.zip (download it from http://delphi.icm.edu.pl/ftp/tools/ResHack.zip/)
04) start the pc in safe mode
05) unzip hijackthis.zip, run hijack.exe click on scan button it will give scan result
on the top in the first 4/5 lines you will see a .dll file entry and that is main .dll file responsible for the problem.
06) now run reshacker.exe
07) Open the .dll file in reshacker which is given in the hijackthis.exe scan result (c:\windows\system folder), you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTMLsub tree, click on 1033 then on the right hand side you will see the link http://searchx.cc/search.php replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the .dll file.
08) Go to Registry Editor (run regedit.exe)
09) find the registry value for .dll file
10) remove the registry entry for .dll file
11) run cwshrdder.exe
12) restart the machine

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

S Parker — 2004-05-30T17:54:39-05:00

This is a good "fix". However, I think this "ieafdo.dll" file you refer to is the randomly generated .dll file (the name of which can be anything if searchx is resident). I checked google to see if this "ieafdo.dll" file exists, and there were zero returned hits.

If this is YOUR randomly generated dll then it will be referenced in registry (visible quickly with hijackthis preceeding lines with sp.html. Another simplistic approach to identifying this dll is the day that it appears you will find it in the C:\windows\system folder, sorted by "modified" date, as the most recent .dll file in the directory. Whatever this file is, is the one that I suspect you suggest we (i.e. anyone unfortunate enough to have become infected) edit with reshacker. SInce I have been wiping out this searchx problem time and time again I will likely have to wait until tomorrow for that randomly generated file to appear.

I have tried cwshredder, and it is useless. It is somewhat effective if you run it in safe mode, as it will pick up the blank.htm file and the randomly generated .dll file. I simply created a read-only blank.htm file of my own, but the randomly-generated .dll file name is unpredictable (or is it?). All hijackthis is doing is continuously showing me that the problem has returned, and I can remove those entries time and time again, but the "fix" is never permanent. ...I await the regeneration of the .dll file so I can try your reshacker method.

ALSO, I have noticed that when I dbl-click on the IE icon on the desktop the default open method is "OPEN HOME PAGE". If I r-h-click on it, and select "OPEN", the browser behaves normally. In the default open home page mode, there is a stray "IEXPLORE" process running and loads while the mouse icon switches to the hour-glass for several seconds (since I have Win98 I cannot see any process details -- and it does not appear in TaskMan! -- unless someone can tell me how to see process details in Win98). The process will continue to run indefinitely even after I have closed the IE window. Every dbl-click on the IE desktop icon initiates two processes -- the home page process and (what appears to be a virtual/hijacked) IEXPLORE process. So I can easily accummulate a whole list of IExplore processes that really do not exist -- but are listed using CTRL-Alt-DEL. They are easily terminated, are a huge annoyance, and are at best wasting system resources.

I wonder if you've used "fix" as you report, and if when you double-click the IE icon/link you get a stray IEXPLORE process in addition to the window process. Also, does this stray IEXPLORE process continue to run even after you've exited your IE browser window?

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

pradip vidhate — 2004-05-30T05:45:39-05:00

i got the solution for this searchx.cc ie start page after spending more than 15 days for this solution. And now i want to share this with you people who are frustrated with this problem
The main .dll file responsible for this problem is ieafdo.dll where the searchx.cc link is stored and we have to remove that link from that file and remove the registry entry for ieafdo.dll.

Solution

1) download reshacker.exe (download it from http://www.users.on.net/~johnson/resourcehacker/)
2) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/downloads.html)
3) run reshacker.exe
4) open the file ieafdo.dll, you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTML, click on 1033 then on the right hand side you will see the link http://searchx.cc replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the file ieafdo.dll
5) Go to Registry Editor (run regedit.exe)
6) find the registry value for ieafdo.dll
7) remove the registry entry for ieafdo.dll
8) run cwshrdder.exe
9) restart the machine

Thats all n you r free from the frustrating problem.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

Anon Anon — 2004-05-21T21:19:45-05:00

I know it's a bit late now, but there's a website and.doxdesk.com where they give information about removing this kind of stuff manually. Usually means deleting a registry entry and a reboot, but it's always worth a look.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

adi tiger — 2004-05-21T21:08:47-05:00

Guys- I got the thing to clear off. Just down load and run an updated and latest version of the Adware software and reset the home page to your required website.

Re: Help me remove - http://searchx.cc/search.php?pin=6&ww=spyware removal

Rob Gigante — 2004-05-20T04:18:44-05:00

I've got the same problem... Every so often a window pops up to vn.msie.cc saying my machine has spyware on it. Sometimes I get so many my machine slows to a crawl.

I've had spybot search and destroy version 1.2 on my win me machine and have kept it updated. Updated today and tried to get rid of it, but it does not find any spyware/trojans/etc.

I also have Norton anti-virus and Internet firewall and neither of them have detected any problems.

Is there some other way to find these programs that is more reliable?