Re: CWS.SEARCHX CoolWebSearch won't go away!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Primax (primax_at_segherskeppel.com)
Date: 05/26/04


Date: 26 May 2004 06:20:36 -0700

The latest CWShredder didn't work now with CWS.searchx (at least thats
how it detected the spyware)

i found following registry entries that re-insert the spyware at IE.

remove those or search for daodn.dll
run CWShredder
restart

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D932CFA2-2690-493C-B8B2-4446B2FC32D4}]
[HKEY_CLASSES_ROOT\CLSID\{D932CFA2-2690-493C-B8B2-4446B2FC32D4}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CF32DB60-D35E-4D5F-A622-34EEB0673531}]
[HKEY_CLASSES_ROOT\CLSID\{CF32DB60-D35E-4D5F-A622-34EEB0673531}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{0D2BFD8C-D620-4A2F-B264-77C76525633F}]
[HKEY_CLASSES_ROOT\CLSID\{0D2BFD8C-D620-4A2F-B264-77C76525633F}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A7922508-C14A-4D07-A62D-4DDEC39528B1}]
[HKEY_CLASSES_ROOT\CLSID\{A7922508-C14A-4D07-A62D-4DDEC39528B1}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

If you can't find any daodn.dll try searching all files containing
other keywords

Below a piece from the daodn.dll file

<div class=searchPanel>
 <form id=formWeb action="http://searchx.cc/search.php" method=get
target="_main">
 <input type=hidden name="pin" value="13">
 <label for=txtWebSearch>Find a Web page containing:</label><br>
 <input class=inputs type=text name=ww id=txtWebSearch><br>
 <table width=100% cellspacing=0 cellpadding=0 class=searchTable><tr>
 <td class=rightButton><input type=button onclick="$Bx();return null;"
value="Search" title="Start Searching"></td>
 </tr></table>
 </form>
</div>

<script language=javascript>
function $Bx(){
 s=escape(formWeb.ww.value);
 if(s==""){
  alert("Please specify something to search for!");
  return;
 }
 formWeb.submit();
}
function go(text) { formWeb.ww.value=text; $Bx(); }
</script>

<br>

<table border=0 cellpadding=2 cellspacing=0 width=100% height="125"
style="border:1 solid #e53701">
<tr bgcolor="#e53701">
 <td>
<font color="white"><b>Hot Searches</b></font>
 </td>
</tr>
<tr bgcolor="#eeeeee">
 <td><br><font style="line-height:12pt;">
&nbsp;<a class=h href="javascript:go('hydrocodone')">Hydrocodone</a><br>
&nbsp;<a class=h href="javascript:go('moving companies')">Moving
Companies</a><br>
&nbsp;<a class=h href="javascript:go('nevada corporation')">Nevada
Corporation</a><br>
&nbsp;<a class=h href="javascript:go('pool cleaning')">Pool
Cleaning</a><br>
&nbsp;<a class=h href="javascript:go('recreational vehicle
insurance')">Recreational Vehicle Insurance</a><br>
&nbsp;<a class=h href="javascript:go('mortgage refinancing')">Mortgage
Refinancing</a><br>
&nbsp;<a class=h href="javascript:go('casino online')">Casino
Online</a><br>
&nbsp;<a class=h href="javascript:go('spyware')">Spyware</a><br>
&nbsp;<a class=h href="javascript:go('adware')">Adware</a><br>
&nbsp;<a class=h href="javascript:go('antivirus')">Antivirus</a><br><br>
</td>
</tr>
</table>
<br>



Relevant Pages

  • Re: CWS.SEARCHX CoolWebSearch wont go away!
    ... The latest CWShredder didn't work now with CWS.searchx (at least thats ... i found following registry entries that re-insert the spyware at IE. ...
    (microsoft.public.security)
  • Re: about:blank page - where is this setting?
    ... even CWShredder, but the coolweb thing just comes back after a reboot. ... Next step is to hack the registry, ... I will try downloading HijackThis, though I'm losing so much time on ... >> any of the spyware apps to make any difference. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: iexplorer.exe Application Error
    ... I hope that letting those spyware programs ... >>Note that AdAware and SpyBot S & D will each catch some ... >>CWShredder is also available here: ... >>Alternative download pages for Ad-Aware, Spybot, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Hijack to buydomains.com?
    ... I tried all the software mentioned: spybot, ad-aware and CWShredder. ... > Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines ... > Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Browser Link problem
    ... The cwshredder did the trick. ... > Download, install, run, update and run again; ... > THE PARASITE FIGHT QUICK FIX PROTOCOL ... > Dealing with Unwanted Spyware and Parasites ...
    (microsoft.public.windowsxp.basics)