Broadband Tech > Security > Security > cant get rid of CWS.Searchx

reply to weeirdo

Re: cant get rid of CWS.Searchx

Hmm, sounds like while it is a CoolWebSearch spyware, it may not specifically be CWS.searchx

On CWShredder, what does it say was REMOVED when you run it?

reply to weeirdo
it used to be searchx. now cws shredder can't find anything.
but my IE is messed up.

with it's casino pallazo pop-up and 90% of the links i click don't work.

should i post hijackthis log ?

reply to weeirdo
Zupe here is my find all.bat log and my hijack this log with all the infection. Pease help me.

Logfile of HijackThis v1.97.7
Scan saved at 9:57:07 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\TIG\DESKTOP\THUNDE~1\THUNDE~1\THUNDE~1.EXE
C:\Documents and Settings\Tig\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29A520DF-5015-4280-8DBA-CBC76A99620E} - C:\WINDOWS\System32\eekp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CE52A20F-9A74-4B99-8DA9-66E5B194D85C} - C:\WINDOWS\System32\eignpj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···62731481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - »cdn.digitalcity.com/_media/dalai···ampx.cab

Here is the Find all.bet log

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue May 18 21:58:00 2004 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4063:0F57) - FS:NTFS clusters:4k
Total: 120 023 252 992 [112G] - Free: 89 838 804 992 [84G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

*Google Toolbar version and Attributes:
2.0.108.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YComp 5.0.0.0"="Yahoo! Companion"

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:

*PC uptime:
9:58pm up 0 days, 2:20

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\EVENTLOG.DLL +++ File read error
\\?\C:\WINDOWS\System32\EVENTLOG.DLL +++ File read error

*List of top level windows:
HWND PID PRIO TITLE
d0160 1448 norm SysFader
30032 1448 norm _Shell_TrayWnd
40120 1448 norm SysFader
10026 696 high NetDDE Agent
100208 1448 norm Find-All
f01fc 3924 norm C:\WINDOWS\System32\cmd.exe
b015c 1448 norm Acrobat IEHelper
14020c 4016 norm broadband » Add to thread.. - Mozilla Firefox
1d0280 3776 norm TAGOREEE - Full activation for broadbandreports.com - Inbox for thetagore@sbcgl
1002a8 4016 norm cexx.org discussion boards :: View topic - new searchx.cc hijack need help - Mo
e0240 3776 norm MCI command handling window
14025c 3776 norm NetscapeDispatchWnd
d029c 3776 norm DDE Server Window
c016e 3776 norm XPCOM:EventReceiver
90122 4016 norm NetscapeDispatchWnd
a00f8 4016 norm XPCOM:EventReceiver
200f4 1920 norm Sign On
50106 2424 norm Auto Update Client Window
60108 1448 norm MCI command handling window
200e2 1448 norm Connections Tray
100e4 1448 norm Power Meter
100e0 1448 norm MS_WebcheckMonitor
100d8 1680 norm DIEmWin
200c4 1920 norm DDE Server Window
200c8 1892 norm ActiveMovie Window
100ca 1892 norm ActiveMovie Window
100c6 1892 norm MSP PNP Notification Window
100c0 1892 norm CRTCClient
100ae 1996 norm InterVideo WinCinema Manager
100b0 1892 norm CRTCIMService
100a8 1892 norm DDE Server Window
20064 1748 norm QTPlayer Tray Icon
20068 1680 norm ATI Tray Icon Application
20060 1764 norm iTunes Helper
3004a 1232 norm ATI video bios poller client
1002a 1060 norm ATI video bios poller
10090 1448 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29A520DF-5015-4280-8DBA-CBC76A99620E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE52A20F-9A74-4B99-8DA9-66E5B194D85C}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{FF573684-9522-41B5-8FF6-24E7B5785745}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{FF573684-9522-41B5-8FF6-24E7B5785745}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (»www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

reply to weeirdo
Anyone still having problems please start a new thread of your own - removal for this is hard enough to keep track of without different people posting logs in the same place.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

reply to Zupe
I did what you said...ran the find all program and here is my output.txt file...... I have the same problem...cannot get read of the searchx problem
here it is...
--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu May 20 11:32:02 2004 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18E8:F26C) - FS:NTFS clusters:4k
Total: 39 974 858 752 [37G] - Free: 1 380 417 536 [1.3G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q328970;Q324929;Q810847;Q813951;Q818529;Q822925;Q330994;Q828750;Q82 4145;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll

*PC uptime:
11:32am up 0 days, 3:23

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINLFCE.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINLFCE.DLL +++ File read error

*List of top level windows:
HWND PID PRIO TITLE
30136 424 norm TF_FloatingLangBar_WndTitle
200f0 424 norm CiceroUIWndFrame
1203a2 436 norm SysFader
300b8 436 norm Start Menu
1b014e 436 norm _Shell_TrayWnd
140300 436 norm SysFader
1c028a 2732 norm SysFader
e0158 3816 norm SysFader
a009c 3588 norm SysFader
290294 2512 norm SysFader
300e2 960 norm P2P Networking Update
10028 612 high NetDDE Agent
1201e0 2732 norm broadband » Forums » Security » cant get rid of CWS.Searchx - Microsoft Interne
b0352 3368 norm C:\WINDOWS\System32\cmd.exe
18035e 436 norm Find-All
d0362 436 norm DDE Server Window
602d8 436 norm finall
1f01f4 436 norm Timer
18016c 3816 norm Google - Microsoft Internet Explorer
d00d4 3588 norm Merijn.org - Microsoft Internet Explorer
d018e 2512 norm Merijn.org - Microsoft Internet Explorer
903e0 436 norm DDE Server Window
c03c4 2732 norm MCI command handling window
b0172 3816 norm CompanionIEThreadWindow
a03f0 2732 norm CompanionIEThreadWindow
a032c 2512 norm CompanionIEThreadWindow
c01a4 3588 norm CompanionIEThreadWindow
d03f6 2732 norm DDE Server Window
1301bc 3816 norm DDE Server Window
19015a 3588 norm DDE Server Window
700a6 436 norm MCI command handling window
40044 436 norm MS_WebcheckMonitor
200a0 436 norm Connections Tray
20098 436 norm Power Meter
e03d4 2512 norm MCI command handling window
60322 2512 norm DDE Server Window
100106 3588 norm MCI command handling window
1e0220 3588 norm DDE Server Window
10023e 3596 norm EchoPortManagerWnd
7041a 3596 norm MSNMSGRPassportLogin
f048c 3596 norm MSBLNetConn
d049e 3596 norm DDE Server Window
302ae 3472 norm MSBLNetConn
20276 3472 norm ActiveMovie Window
20272 3472 norm ActiveMovie Window
20262 3472 norm MSP PNP Notification Window
2027c 3472 norm CRTCClient
20256 3472 norm CRTCIMService
2022c 3472 norm DDE Server Window
40066 960 norm P2PNet008
20138 224 norm d0
100f8 224 norm QTPlayer Tray Icon
100ec 228 norm Notification Wnd for RNAdmin
100f4 240 norm Symantec AntiVirus Corporate Edition
100e8 388 norm ACMonitor_X84-X85
30050 1672 norm DEVLDR
10080 1528 norm VPIPCLINK
10084 1528 norm ACTION
10088 1528 norm Scan
1007a 1272 norm LEXLMPM
10078 1600 norm NVSVCPMMWindowClass
6004e 436 norm Program Manager
170118 436 norm M
220120 436 norm Default IME
1a01fe 3596 norm M
17014c 3596 norm Default IME
10168 960 norm M
20154 960 norm Default IME
150250 2732 norm M
1901e8 2732 norm Default IME
1012e 424 norm Default IME
1b0308 436 norm M
a031c 436 norm Default IME
50314 436 norm M
702d2 436 norm Default IME
1b01dc 3816 norm M
190290 3816 norm Default IME
1c0162 3588 norm M
1201ae 3588 norm Default IME
1901b4 2512 norm M
70186 2512 norm Default IME
31039e 2732 norm Default IME
1b01fc 3816 norm Default IME
100382 2732 norm Default IME
803be 2512 norm Default IME
e0252 3588 norm Default IME
190230 3588 norm M
f0232 3588 norm Default IME
a00d0 436 norm Default IME
20094 436 norm Default IME
d03d8 2512 norm Default IME
2b0242 3588 norm Default IME
2026c 3472 norm Default IME
20278 3472 norm Default IME
4020e 3472 norm Default IME
100fc 224 norm Default IME
100ee 228 norm Default IME
100f6 240 norm Default IME
100ea 388 norm Default IME
4004c 1672 norm Default IME
10082 1528 norm Default IME
10086 1528 norm Default IME
1008a 1528 norm Default IME
1007c 1272 norm Default IME
1007e 1600 norm Default IME
4003a 436 norm M
40132 436 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (»www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



reply to weeirdo
how did you delete that corrupts searchx .dll?
i can't even see mine!

reply to weeirdo
Hi, Had to use system restore in safe mode command prompt when having similar probs.

reply to weeirdo
I can't download Find-All.zip; is there a new location for it?

reply to weeirdo
Try this procedure:
»forums.subratam.org/index.php?showtopic=583
--
Lost in Texas

reply to moby323
CWShredder doesn'tremove anything for me and i have the latest version, adaware neither removes these! Please Help

Tony, follow the procedure in the link posted by MerlynTech right above yours. That has step by step procedures and links to download the tools to remove the hidden dll file that causes the reinfection.

Sexdial has infected my computer

ResultsofAdA···lspy.zip 433 bytes (ResultsofAdAwarescanfollowinginfectionbySexdialspyware.TXT)

Hi dafficus,

That file you attached isn't working (says invalid file). Could you please Download *Hijack This!* which will give us details about your operating system

First, please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe. Then, doubleclick HijackThis.exe, and hit "Scan".

Download here:
»www.spywareinfo.com/downloads/to···This.exe

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

It would be best if you start a new topic of your own (Use the *New Topic* button at the top of this forum). Then, use Copy and paste to add the results of your HijackThis log to your reply. Include your Adaware log results as well but use copy and paste. Open your Log, use Edit then select all (Ctrl+A), this will highlight all the text in your log. Then use Ctrl+C (copy to clipboard) and in your reply use Ctrl+V which will paste the text into your message
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/

Thanks a million Calamity! I will post under a new topic area, Sexdial has infected my computer.

reply to Zupe

Re: cant get rid of CWS.Searchx

reply to weeirdo
I can't get rid of sexdial, can anyone help me?

reply to weeirdo
Zupe,
Thanks for the help. Your RegLite instructions worked like a charme for me. Got this nasty variant about a week ago and could not make it go away. Thanks again!

reply to weeirdo
As Zupe previously stated (and so did I), you all need to go the the link at the top of the forum the is in big red letters: Before you post a Hijack This Log or if you're infected Follow These Steps which will take you here.

»Security »I think my computer is infected or hijacked. What should I do?

Follow those steps and record your findings from each (we will need logs and results from those) then Post your own new topic Each system and each unsolvable malware problem usually needs different instruction. So please don't post any new queries to this thread. Be sure you update the programs in required in each step and do the scans in safe mode.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/