i've got this searchx.cc thing too. it's copying itself all over my machine in a file called res.dll that i cannot find! i've noticed that i cannot make a file called res.dll anywhere on my system. and i cannot run many install programs, because they try to create dll files that have the string "res" somewhere in the name (adobeimagereadyres.dll for example) and the virus won't allow it! i would love to know how to find these searchx.cc guys. >:[ aspiralformation.

Me too... my pc is now buzzing with Norton, Spysweeper and Adaware. I have got rid of a few things that must have been lurking for a while. But none of the above deal with CWS.Searchx properly. Then I found CWShredder and thought my troubles were over - it identified Searchx and appeared to have removed it... until I rebooted and opened IE for the second or third time - when up it popped up yet again What to do now? Tim

I just discovered I may have CWS.Realyellowpage which keeps reloading CES.Searchx CWS.Realyellowpage seems to be v.v.hard to remove manually and is not (yet) detected/removed by CWShredder More info at http://www.spywareinfo.com/~merijn and in forums at http://www.spywareinfo.com

I had this same problem in IE where when you open it, it shows about:blank in the Address bar and shows a search page that takes you to searchx.cc. But I finally found the fix. Before you start you should have the latest Adaware 6. You will need it. I had run Adaware 6 and it removed it temporarily but it kept coming back after a few hours or days. It somehow kept re-infecting my machine. After many hours of hard work, I finally figured out how to remove it for good. The key to removing this is the registry key called HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc. The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me. 1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2. 2. Now delete the AppInit_DLLs key under the Windows2 folder. 3. Hit F5 and notice that AppInit_DLLs doesn't come back. 4. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now. Let me know if this works for you. - from DanR the computer guy (By the way, the only reason why I spent so much time figuring this out is because Merijn doesn't seem to be able to. I've been waiting a long time for him to figure it out but it seems he hasn't been able to so I got sick of waiting and just did it myself. Maybe he'll copy this into CWShredder now that he knows how to do it.)

A really easy way to remove the nasty thing is to turn off the system restore from control panel/system and then run CWShredder, Highjackthis or both. After this make the appropriate changes in the browser settings in control panel, restart the computer and turn on the the system restore again. This is no rocket science, but it was the only trick that worked for me! Good luck.

this is how i removed the nasty CWS.searchx: - run cwsshredder, it will delete searchx - remove the following key from the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (thanks to DanR) for now the spyware is gone on my machine (xp), even after a reboot it stays away. hope this helps, sanctus

this is how i removed searchx.cc start page -first you have a latest version of ad-aware 6. -this program http://www.fgxdev.unlugar.com/find-all/Find-All.zip for search .dlls -and this program http://www.fgxdev.unlugar.com/reshack/reshack.zip for read .dlls 1š) remove this registry key called HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 2š) run ad-aware 6 to remove the files and objects. 3š) extract all from find-all.zip run find-all.bat and it generate a log file output.txt. my output: --===**'FIND-ALL' VERSION 2, 5/04**===-- Tue May 11 01:10:34 2004 -- Results: *System Info: Microsoft Windows XP [VersiĒn 5.1.2600] C: "" (20A1:B38F) - FS:NTFS clusters:4k Total: 10 487 197 696 [10G] - Free: 1 912 606 720 [1.8G] Locked or 'Suspect' file(s) found... REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}] @="Ipswitch.WsftpBrowserHelper" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7559B76E-0222-4d77-9499-CCE9EB4EDC2F}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F}] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E9880EBC-7AAC-4564-B2E9-A87747D5A259}] REGEDIT4 [HKEY_CLASSES_ROOT\PROTOCOLS\Filter] [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler] @="AP Class Install Handler filter" "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate] @="AP Deflate Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip] @="AP GZIP Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml] @="AP lzdhtml encoding/decoding Filter" "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html] "CLSID"="{B1D7C723-6D18-47AD-9EEF-31AFF4859866}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain] "CLSID"="{B1D7C723-6D18-47AD-9EEF-31AFF4859866}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml] @="WebView MIME Filter" "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml] "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}" Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} C:\WINDOWS\system32\urlmon.dll deflate {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINDOWS\system32\urlmon.dll gzip {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINDOWS\system32\urlmon.dll lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINDOWS\system32\urlmon.dll text/html {B1D7C723-6D18-47AD-9EEF-31AFF4859866} C:\WINDOWS\mrhop.dll text/plain {B1D7C723-6D18-47AD-9EEF-31AFF4859866} C:\WINDOWS\mrhop.dll text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} %SystemRoot%\system32\SHELL32.dll text/xml {807553E5-5146-11D5-A672-00B0D022E945} C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL {21A2CA63-27F8-4AB7-839A-8BEA2F4F3996} C:\WINDOWS\mrhop.dll {67611960-B738-4B0E-9F4E-54FC069FEABE} C:\WINDOWS\mrhop.dll {B1D7C723-6D18-47AD-9EEF-31AFF4859866} C:\WINDOWS\mrhop.dll {BF8BB899-C9D6-4947-9F29-FED27A401E65} C:\WINDOWS\mrhop.dll {E9880EBC-7AAC-4564-B2E9-A87747D5A259} C:\WINDOWS\mrhop.dll {E9D81D50-615D-44D2-B7E8-4C6292F2055C} C:\WINDOWS\mrhop.dll {21A2CA63-27F8-4AB7-839A-8BEA2F4F3996} C:\WINDOWS\mrhop.dll {67611960-B738-4B0E-9F4E-54FC069FEABE} C:\WINDOWS\mrhop.dll {B1D7C723-6D18-47AD-9EEF-31AFF4859866} C:\WINDOWS\mrhop.dll {BF8BB899-C9D6-4947-9F29-FED27A401E65} C:\WINDOWS\mrhop.dll {E9880EBC-7AAC-4564-B2E9-A87747D5A259} C:\WINDOWS\mrhop.dll {E9D81D50-615D-44D2-B7E8-4C6292F2055C} C:\WINDOWS\mrhop.dll {807553E5-5146-11D5-A672-00B0D022E945} C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL _______________________________ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx {601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Archivos de programa\WS_FTP Pro\wsbho2k0.dll {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} C:\ARCHIV~1\AdShield\AdShield\AdShield.dll {9527D42F-D666-11D3-B8DD-00600838CD5F} C:\WINDOWS\System32\IETie.dll {E9880EBC-7AAC-4564-B2E9-A87747D5A259} C:\WINDOWS\mrhop.dll ************============******************============ Then i open the rare files "mrhop.dll" "IETie.dll" with Reshacker program. in this files i had found the html code from searchx.cc page.itīs good i just remove that files. run again ad-aware 6. finally remove registrys keys connected with this .dll and modify this registrys keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Bar"="" "Search Page"="" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main "Search Bar"="" "Search Page"="" Reboot the PC.

Big congratulation @ DanR. My system is clean without format C:\> etc. The way, which he wrote, is easy. After the reboot, I deleted the *.dll in my c:\windows\sytem32-folder, which create everytime this daft html-file with name about:blank! And now the problem was gone. Good luck for you & thanks!!! Uwe [Germany]

let us all nominate (dan r) for an award!!! i have had this searchx problem for 3months and have tried every program and read every forum on the net, then my luck changed when i read response no.10 from dan r. just do what he says and its gone, not seen about blank fro over a week now! ahh peace at last....

Aanother simple method to reomve searchx.cc where your browser goes to "about:blank" but loads the search page is to do this: Just to make sure this works everytime if the basstidz over at searchx.cc decide to change the dll do this. Open regedit to: HKLM\software\microsoft\internet explorer\main Open either of the values "searchbar" or "searchpage" Copy the sting of characters. Mine was "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%63%66%67%6c%67%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" Paste the string you find into your IE address bar and hit enter. It will take you to a page. Go FILE > PROPERTIES. Notice the url part in the properties menu? It will point you to the exact file that is causing the searchx.cc junk. Mine was res://C:\WINDOWS\System32\cfglg.dll/sp.html The file I got rid of was the "cfglg.dll" in the windows\system32 directory. Delete or Rename the dll file and VIOLA! You have control of your browser again!! Like I say, they may change the name of the dll thats why I show you how to check ;) www.xipperhead.com

Thank you DanR! Your fix worked in five minutes! I've been fighting this hijack for over a month. DanR for President!

I am using Windows 98. I did not see the registry entry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs So I ran hijackThis and cleaned up the DLL and then ran CWSshredder to make sure everything is clean. Rebooted. So far it seeemed to have worked. I am still curious if there is some other registry entry for Windows 98 that needs to be cleaned. I did not see mentioned that in Win98 forums

DanR your Method Worked fine for me. Great Buddy! Keep up the Good Work

I spend a day trying to get rid of this hijack, trying all remove programs like most of you, now i just tried DanR methods but it did not work on my win2000pro system, then i read xipperhead Response 16 about "HKLM\software\microsoft\internet explorer\main\ "searchbar" or "searchpage" and i found this strange string as he quotes i tried to change or delete theses to 2 keys but no way they would allways be recreated when refreshing with F5 so i tried to delete the worm file which for me was: \\res:c:\winnt\system32\ofkehca/sp.html but here windows refuse to destroy or rename it as it is currently in use (when you load this file with notepad you can see that this binay file contain the hijack menu) so what i did to go around, i reboot the system in safe mode with command shell(by pressing F8 at boot time) with the command shell, i deleted the worms file, then i rebooted again in standard mode, and i regain control of browser ! thank you xipperhead, hope this can help somebody.

I solved the problem by removing a suspected dll file from winxp/system32 directory and reset the startpage from IE's internet option menu. I located this file (omfe.dll) in window explorer by: 1. its modified date = 5/24/2004 which showed it to be the most recently installed/modified file, 2. puting the mouse pointer over the file to get the pop-up descripton, it didn't show the Company info, file version ect. 3. open the file in notepad will show the source of the html of the startup search page. Hope this can help people who don't know much about windows registry. syan

Thank you DanR (post #10 above). I used no less than EIGHT (8) different antivirus and anti spyware programs to no avail until I read your post and did what you described. I, like a lot of the people on here, was a bit apprehensive about messing with the registry, but found it quite easy to do what you suggested -- it was more like re-namimg a file and deleting a file in explorer than it was editing a registry. Surprisingly easy... Anyways... Running all the removal programs I have accumulated, the darn thing kept coming back EVERY night (morning?) at about 12:35am -- UNTIL I removed the entry you described AND in the manner you described. It's only been one day, but since the trojan was back like clockwork everyday at 12:35am and it's now 1:43am, I feel pretty confident it's gone for good. Thanks so much for figuring this out and then posting it. Also, thanks to Merijn for his CWShredder which is indispensable in this removal also (it got rid of the rest of the crap added by Searchx.cc). Just FYI, I also used Bazooka Spyware Scanner, Spywareguard (which helped a lot in the beginning), Ad-Aware 6.0, BHODemon (which identifies Browser helper objects), DSOstop2 (which I'm not sure if it pluged the exploit hole it's supposed to, but I used it anyways), MalWhere (which identifies all processes running on your computer and tells you what they are and what probability they have of being a virus/malware process), Norton Anti-virus/firewall/and systemworks suite. For anyone interested, I downloaded the above programs (which are all freeware except for Norton) from www.majorgeeks.com and from www.download.com Even with all that, until I did DanR's fix on top of all the other programs, I still had the Searchx.cc.... One last note: I actually called Symantec (Norton's maker) and paid them to help me remove this problem. They charged me, said it couldn't be removed, and told me to do a destructive recovery -- wipe out everything on my computer and start over again. I'm just ecstatic that I read these posts before I did that...

Hey guys n gals i got the solution for this searchx.cc ie start page after spending more than 15 days for this solution. And now i want to share this with you people who are frustrated with this problem The main .dll file responsible for this problem is ieafdo.dll where the searchx.cc link is stored and we have to remove that link from that file and remove the registry entry for ieafdo.dll. Solution 1) download reshacker.exe (download it from http://www.users.on.net/~johnson/resourcehacker/) 2) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/downloads.html) 3) run reshacker.exe 4) open the file ieafdo.dll, you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTML, click on 1033 then on the right hand side you will see the link http://searchx.cc replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the file ieafdo.dll 5) Go to Registry Editor (run regedit.exe) 6) find the registry value for ieafdo.dll 7) remove the registry entry for ieafdo.dll 8) run cwshrdder.exe 9) restart the machine Thats all n you r free from the frustrating problem.

Hey guys the perfect solution for searchx.cc homepage hiijack is given below SOLUTION 01) download hijackthis.zip from (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) 02) download cwshredder.exe (download it from http://www.spywareinfo.com/~merijn/files/CWShredder.exe) 03) download reshacker.zip (download it from http://delphi.icm.edu.pl/ftp/tools/ResHack.zip/) 04) start the pc in safe mode 05) unzip hijackthis.zip, run hijack.exe click on scan button it will give scan result on the top in the first 4/5 lines you will see a .dll file entry and that is main .dll file responsible for the problem. 06) now run reshacker.exe 07) Open the .dll file in reshacker which is given in the hijackthis.exe scan result (c:\windows\system folder), you will see +23 on the left hand side of the screen. expand the +23 tree, expand SP.HTMLsub tree, click on 1033 then on the right hand side you will see the link http://searchx.cc/search.php replace it with any other link ( i replace it with http://www.yahoo.com) click on Compile Script button (which is on the top of The Resource Hacker window) save the .dll file. 08) Go to Registry Editor (run regedit.exe) 09) find the registry value for .dll file 10) remove the registry entry for .dll file 11) run cwshrdder.exe 12) restart the machine