My home page has been hijacked and I have a pop up coming up after every few seconds about spyware. The address is as http://searchx.cc/search.php?pin=6&ww=spyware+removal. I have tried CW shredder and adware to no response. I can not find reg32.exe to delete it from msconfig.
Want to enjoy less advertisements and more features? Click here to become a Hardware Analysis registered user.
*edit*
Do a search in window if Stinger doesn't get it! You will have to terminate the running process in Task Manager under Processes tab before you can delete it!
Click - Start - Search - Search for, reg32.exe
Some other usefull tools and free to boot! Do a http://www.Google.com search for these!
Spybot Search & Destroy
Spyware Blaster
That "Spybot Search & Destroy" should sort that for you, Adi (it's free - get it from http://www.download.com). Once you install it, don't forget to run an update to get all the latest data into it (otherwise it's pretty pointless)
Post Edited On: Oct 19, 2078, 00:27 AM
_________________________________________________________________________________
~ The manual said "Requires Windows '95 or better" ...so I installed Linux!
1001000 1100101 1111000 0100000 1010010 1110101
Have you tried manualy setting you Home page back? If not the spyware may be on the jacked home page and everytime you connect it reloads! It could be that its just a pop-up and no spyware is accually installed! You will need to change your Home Page manually!
Change your Home page!
Right-click on Internet Explorer - Properties - Genrel tab - Home Page(put in a new address)
Update Spybot S&D and run a new scan! If it doesn't find anything you should be clean!
Update Spywareblaster - under prptection enable protect all! This will keep most spyware from being installed in the first place!
If you can't get the spyware removed then you may want to take it to a tech, but my guess is your jacked Home Page allows pop-ups and thats all it is, so by changing your home page to somthing eles it may stop it! Also if you don't delete the Spybot S&D backup copy of files deleted, Ad-aware will see it as spyware!
I've got the same problem... Every so often a window pops up to vn.msie.cc saying my machine has spyware on it. Sometimes I get so many my machine slows to a crawl.
I've had spybot search and destroy version 1.2 on my win me machine and have kept it updated. Updated today and tried to get rid of it, but it does not find any spyware/trojans/etc.
I also have Norton anti-virus and Internet firewall and neither of them have detected any problems.
Is there some other way to find these programs that is more reliable?
Guys- I got the thing to clear off. Just down load and run an updated and latest version of the Adware software and reset the home page to your required website.
I know it's a bit late now, but there's a website and.doxdesk.com where they give information about removing this kind of stuff manually. Usually means deleting a registry entry and a reboot, but it's always worth a look.
i got the solution for this searchx.cc ie start page after spending more than 15 days for this solution. And now i want to share this with you people who are frustrated with this problem
The main .dll file responsible for this problem is ieafdo.dll where the searchx.cc link is stored and we have to remove that link from that file and remove the registry entry for ieafdo.dll.
Solution
1) download reshacker.exe (download it from http://www.users.on.net/~johnson/resourcehacker/)
2) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/downloads.html)
3) run reshacker.exe
4) open the file ieafdo.dll, you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTML, click on 1033 then on the right hand side you will see the link http://searchx.cc replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the file ieafdo.dll
5) Go to Registry Editor (run regedit.exe)
6) find the registry value for ieafdo.dll
7) remove the registry entry for ieafdo.dll
8) run cwshrdder.exe
9) restart the machine
Thats all n you r free from the frustrating problem.
This is a good "fix". However, I think this "ieafdo.dll" file you refer to is the randomly generated .dll file (the name of which can be anything if searchx is resident). I checked google to see if this "ieafdo.dll" file exists, and there were zero returned hits.
If this is YOUR randomly generated dll then it will be referenced in registry (visible quickly with hijackthis preceeding lines with sp.html. Another simplistic approach to identifying this dll is the day that it appears you will find it in the C:\windows\system folder, sorted by "modified" date, as the most recent .dll file in the directory. Whatever this file is, is the one that I suspect you suggest we (i.e. anyone unfortunate enough to have become infected) edit with reshacker. SInce I have been wiping out this searchx problem time and time again I will likely have to wait until tomorrow for that randomly generated file to appear.
I have tried cwshredder, and it is useless. It is somewhat effective if you run it in safe mode, as it will pick up the blank.htm file and the randomly generated .dll file. I simply created a read-only blank.htm file of my own, but the randomly-generated .dll file name is unpredictable (or is it?). All hijackthis is doing is continuously showing me that the problem has returned, and I can remove those entries time and time again, but the "fix" is never permanent. ...I await the regeneration of the .dll file so I can try your reshacker method.
ALSO, I have noticed that when I dbl-click on the IE icon on the desktop the default open method is "OPEN HOME PAGE". If I r-h-click on it, and select "OPEN", the browser behaves normally. In the default open home page mode, there is a stray "IEXPLORE" process running and loads while the mouse icon switches to the hour-glass for several seconds (since I have Win98 I cannot see any process details -- and it does not appear in TaskMan! -- unless someone can tell me how to see process details in Win98). The process will continue to run indefinitely even after I have closed the IE window. Every dbl-click on the IE desktop icon initiates two processes -- the home page process and (what appears to be a virtual/hijacked) IEXPLORE process. So I can easily accummulate a whole list of IExplore processes that really do not exist -- but are listed using CTRL-Alt-DEL. They are easily terminated, are a huge annoyance, and are at best wasting system resources.
I wonder if you've used "fix" as you report, and if when you double-click the IE icon/link you get a stray IEXPLORE process in addition to the window process. Also, does this stray IEXPLORE process continue to run even after you've exited your IE browser window?
Hey guys there the perfect solution for searchx.cc homepage hijacking is given below
SOLUTION
01) download hijackthis.zip from (http://www.spywareinfo.com/~merijn/files/hijackthis.zip)
02) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/files/CWShredder.exe)
03) download reshacker.zip (download it from http://delphi.icm.edu.pl/ftp/tools/ResHack.zip/)
04) start the pc in safe mode
05) unzip hijackthis.zip, run hijack.exe click on scan button it will give scan result
on the top in the first 4/5 lines you will see a .dll file entry and that is main .dll file responsible for the problem.
06) now run reshacker.exe
07) Open the .dll file in reshacker which is given in the hijackthis.exe scan result (c:\windows\system folder), you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTMLsub tree, click on 1033 then on the right hand side you will see the link http://searchx.cc/search.php replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the .dll file.
08) Go to Registry Editor (run regedit.exe)
09) find the registry value for .dll file
10) remove the registry entry for .dll file
11) run cwshrdder.exe
12) restart the machine
To be honest, the solution you just posted can be problematic, since the .dll file you're altering with reshacker is a randomly-generated .dll file. In your method posted above, it's pointless to simply alter the behavior of this file since you then shred it with cwshredder (which should be done under Safe Mode if you want a clean system). Also, you do not mention how to remove the generator file (the file that generates the .dll file in the first place).
To make life simple (and educate the user along the way):
With Windows running in SAFE MODE (To enter safe mode, reboot your computer while either holding down the CTRL key or the F8 key -- depending on your computer manufacturer. You will get a prompt. Select the SAFE MODE option. Boot to Safe Mode, and conduct the following procedures.):
1. RUN CWSHREDDER with the "send to recycling bin...." option selected so you know what you're actually deleting! (see links elsewhere on this thread) It will identify the cws variant -- presumably searchx, tell you it was removed, and you will see the .dll file appear in your recyclying bin -- this does not happen if you are running windows in normal mode because you cannot delete the file in normal mode as it is running, plus you may find a "blank.htm" file in the recyclying bin.
2. EMPTY RECYCLING BIN
3. RUN HIJACKTHIS (see links to program elsewhere on this thread) Remove all the lines ending in "sp.html" (there will be several registry entries beginning with R0,R1, R2, etc...plus at least one more entry lower in the list).
4. In Hijackthis, also look for and remove DPF (download program file) entries (these lines may begin with ")16") which you do not know about. You should be able to easily identify valid entries, remove unidentifiable entries. For example, I use shutterfly photo/image service, and this is a downloaded program file I use directly with their online service. The searchx spyware seems to have a downloaded program file (this is the file I believe generates the random .dll) and it was HIDDEN from hijackthis on my PC. But remove all suspicious DPF entries to be sure.
5. MANUALLY REMOVE SUSPICIOUS DOWNLOADED PROGRAM FILES (~30kb, and unidentifiable) Go to C:\windows\Downloaded Program Files, and manually, right-click on suspicious looking files and select to REMOVE these kinds of files. Mine was about 30+kb in size (about the same size as the random .dll file). Note: If you happen to remove a valid file in this directory, you will likely be able to re-download the program file whenever you need to use the service associated with it. So I wouldn't worry too much about deleting good files. The file will not appear in the recycling bin -- once removed it is GONE.
6. CLEAN THE REGISTRY. Use EasyCleaner (I think it's linked somewhere on this thread, but search google for "EClea1_7.exe" for a good copy. Newer versions aren't any better, just have more functions.). This will remove any stray registry entries linked to the files you have removed, so it won't look for them during reboot. Remove ALL registry entries that EasyCleaner finds. I've used the program for a few years with no problems.
7. CHANGE YOUR HOMEPAGE entry in IE (I often use a link to a .html file on my hard disk, but google.com, yahoo.com, etc is good as well). My local .html file is quick to load and contains links to all my favorite sites (I hate the Favorites list!).
8. Reboot to Normal Mode.
As posted a couple entries above, up until yesterday I had this searchx infection for about a week and it returned several times. If you use the reshacker program, it will only modify the randomly generated .dll file which will remain active on your computer. In the message posted by the guy above, if you run cwshredder in NORMAL MODE it will not remove this .dll file, so it is best to run cwshredder in Safe Mode where the .dll file is successfully removed. So, if you were to later run cwshredder in safe mode (to remove a future variant, possibly even searchx itself) that .dll file will be removed and then regenerated the next day by the originating generator file. Once I removed the generator file (in C:\Windows\Downloaded Program Files) I haven't seen the searchx variant return today (but then again, there is always tomorrow).
Finally, as I mentioned in my last post, I created my own "blank.htm" file in the C:\Windows\System directory. If you open the source code of the searchx variant's start page, you will note that the page itself contains a javascript that runs searchx.cc\...... So if you cannot for some reason fix the searchx problem, create your own "blank.htm" file (even just a blank file with jibberish) and change permissions on the file to "READ-ONLY". It cannot be overwritten, and your start page will at least not auto-load the searchx.cc javascript. This is yet another "patch" of sort (similar to using reshacker on a randomly generated file). Just keep in mind that if you shred variants in SAFE MODE at a later date, it will remove the .dll file, and your reshacker efforts are wasted (perhaps you can also make it "READ-ONLY", but why bother when you can kill the originating program file, free up your system resources, and run a clean system?)
I guess some people like to just put a band aid on all wounds even if they lead to infection. I prefer to lick my wounds (actually tastes kinda nice. , then add a band aid if and only if necessary. The truth is we're all animals -- no matter how "holy" you think you might be. "Lick" the wound. (Note: "lick" has double-meaning in case some of you might be tech-guys from some other country
Just as I posted my last post above, I was re-infected with the searchx variant. (ADMIN, take note)
Ok. For now, using the big bad band-aid approach on the .dll file using reshacker will have to do. If you're going to put a band-aid on the file, though, just use reshacker and don't worry about running all the other programs. It's a pointless waste of time. Just use reshacker and change searchx.cc to http://www.disney.com. ALSO create a blank.htm file in windows\system to prevent searchx.cc from being called if future .dll files are randomly generated. The guy that writes cwshredder must be asleep at the wheel on this one.
Download the latest build of Adaware (see http://www.download.com). The build number should be 1.87 or 1.97 (whichever, the name of the download reflects the build number). Then go to the Adaware website and download the latest reference list. (currently dated may 30,2004, I think). Scan with Adaware.
CWS-searchx.cc itself can be shredded with cwshredder (Merijn's software). However, if after using cwshredder, searchx reappears, then you likely have CWS-freeyellowpage which will continuously reload searchx. The reloader is a hidden dll file. You can locate it with prcview if you like, but Adaware, with the current reflist will do the job for you. I suspect that using WIndow's Find/Search function on the usual SYSTEM folder for *.dll will yield a comparative list of these hidden files. You can also see it with DOS/Command Prompt. If you remove this file manually, running in Safe Mode is the best bet.
I'm confident my infection is gone since the behaviour of my Iexplore process has returned to normal. (It doesn't hang any more once I close the IE window)
SOLUTION TO REMOVE SEARCHX AND/OR FREEYELLOWPAGE ADWARE (reposted with corrections):
1. Download and install Adaware 6.0 BUILD 1.81 (filename "aaw181.exe", ~2Mb) from http://www.download.com
2. Do not run the software until you've updated the reference list (step 3).
3. Download the latest reference list from the Adaware, unzip it, and copy it into the Adaware program directory (overwriting the current reflist.ref file). See: http://www.lavasoftusa.com/support/download/ and download the red-highlighted link (today there is a reference list dated 6-02 (more current than mentioned in my previous post).
4. Run Adaware with no other programs running (to be clean) and SCAN
5. Click the necessary NEXT button and select files to quarantine. If you've been quarantining files with other programs, Adaware may detect those quarantined files.
I am sure CWShredder will be updated soon to fix the searchx/freeyellowpage complex, (Merijn does good work) but for now, Adaware will quarantine the complex file(s). Essentially you should find two .dll files [one is the regenerator file (presumed to be associated with CWS-freeyellowpage), the other is the randomly generated file (the CWS-searchx variant)]. I'm not sure if Adaware fixes the registry appropriately, however, you may want to run Easycleaner (or other) to clean up your registry.
This is it. I have cleaned SEARCHX completely; here's how to make a good rebuild for Win ME.
Might even work with 98 also!
Ok here goes, I can't believe I had to register just to post this. But I got rid of searchx because of some of the tips here, so returning a favour, thanks people, I couldn't have done it alone.
I am running windows ME with all the MS upgrades except IE6, which wouldn't install until after I removed searchx.
3/ Down load an alternate web browser, I used Opera, not a bad bit of kit http://www.opera.com
4/ Now delete Internet Explorer.
I know you can not remove the normal way through "add/remove", just go into the folder crogram Files\Internet Explorer and delete it all.
5/ Then go to C:Windows\System and delete blank.htm
6/ Start the pc in safe mode. F8 on boot and select option:3 Safe Mode.
7/ Run cwshredder.exe
8/ Go to your trashcan and empty it.
9/ Run reshacker.exe after you use the scan, highlight each reg entry and select info. If it is reported as not being a normal entry, then tick it. Then click on fix to remove them.
10/ When they have been removed, click scan again and repeat the above. Do this at least three times.
11/ Go to Trash can and empty.
12/ Run your registry checker.
13/ Reboot and use Start/Settings/Control Panel/Internet Options. Make sure you clear the history and previous files and set default home page to something like google.com or yahoo.com.
14/ Open Opera web browser and down load latest explorer,…. 6 sp1 is the latest. Make sure you turn off all anti virus software and internet security software before you try to install it!!!!!!!!!!!!!!!
15/ Reboot, check internet options to make sure the default home page you put in is still there. If it isn't, you have to repeat the above.
If it's the same home page, you are back to normal I hope
If all else fails, just use Opera. It's a great freebie browser. Fast and friendly and seemingly unaffected by searchx.
I've killed this hijack by use of a program named CWShredder.exe.
It's very easy. Just download it and run it (under protect mode).
Remember, close all the IE6 and windows before running this program.
You can download it from here http://www.zerosrealm.com/downloads/CWShredder.zip
This worked for me:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.
The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."
, then add a band aid if and only if necessary. The truth is we're all animals -- no matter how "holy" you think you might be. "Lick" the wound. (Note: "lick" has double-meaning in case some of you might be tech-guys from some other country 
rogram Files\Internet Explorer and delete it all.
RSS Updates