CWS.SEARCHX CoolWebSearch won't go away!

R

Richard Hunt

Hello,
I've tried everything to get rid of cws.searchx including running
cwshredder, search and destroy, adaware, and hijack this (and deleting
appropriate entries); deleting regsitry entries; and every other thing you
can think of, and the darn thing keeps coming back within 20 minutes of
getting rid of it. I've tried running these programs in safe mode to no
avail. I'm using all the updated versions of each program.

Could someone give me some advice on what to do next? I really don't want
to have to reinstall windows or anything drastic like that. I appreciate
any help you guys can give me.

Thanks
Richard
 
M

MowGreen [MVP]

Variant 38: CWS.Searchx - About:blank
http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx

If "about:blank" is your issue, follow these steps laid out by
Mike Burgess, MVP :

" Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder (***NOTE: as stated above, if you already have
v.1.57, skip this step***)
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html

Launch the program, and click on the Gear at the top of the start
screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your
installed hard
drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh [HijackThis] log [to an appropriate
forum] ...
--

Disclaimer: Renaming the "Windows" key modified some security settings.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Right-click the "Windows" key, select: Permissions

[Example]
Before renaming the "Windows" key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"

--
[Example]

After Renaming the key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--

You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.

Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control". "



MowGreen [MVP]
*-343-* Never Forgotten
 
G

Guest

----- Richard Hunt wrote: ----

Hello
I've tried everything to get rid of cws.searchx including runnin
cwshredder, search and destroy, adaware, and hijack this (and deletin
appropriate entries); deleting regsitry entries; and every other thing yo
can think of, and the darn thing keeps coming back within 20 minutes o
getting rid of it. I've tried running these programs in safe mode to n
avail. I'm using all the updated versions of each program

Could someone give me some advice on what to do next? I really don't wan
to have to reinstall windows or anything drastic like that. I appreciat
any help you guys can give me

Thank
Richar


Did you try going into the add/remove programs list. If it is in there delete it. If it isn't here is where it should be. Open up Windows Explorer and get into you drive with WINXP on it. Click on the Program Files folder and search for the program. You can also click on custom in the search menu in IE and see if you can change anything in there. It might also be in your Temporary Interenet Files. Go in there and don't be shocked. All those things are cookies. You can delete them if you want and you will get a load of hard drive space. Well you do have to delete them. Unless you want to do searches for the right cookie and all that. And that should get it our if you try everything above

Mike Szewil
 
?

.

Mr. Mow,
Thanks for the fast response. I had a few problems while following your
instructions.

#1--The link you have for CWShredder points to Hijack This. I ran both of
these programs just to be sure.

#2--The findall output said that the culprit DLL was hlped.dll in the
windows\sytem32 folder. This file was not in this directory (or anywhere
else on my computer for that matter), so I could not move it to C:\junk. I
didn't know what to do from here, so I ran Hijack This to see what it said.
It listed a BOH (or something like that, can't remember exactly what it
said) that something about search (sorry, shoulda written more
down)--anyways, the file was boaaofa.dll. I thought this might be some sort
of 'culprit dll,' so I followed the rest of the instructions as this
boaaofa.dll file as the culprit dll file. (this file was located in
C:\windows\system32)

#3--I'm not sure what you mean when you say 'next repeat the above steps,
substitute the 'secondary dll' From: "text/html" as seen in the
"output.txt."

Can you give me some suggestions on the problems I ran into?

Thanks so much for your help,
Richard


MowGreen said:
Variant 38: CWS.Searchx - About:blank
http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx

If "about:blank" is your issue, follow these steps laid out by
Mike Burgess, MVP :

" Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder (***NOTE: as stated above, if you already have
v.1.57, skip this step***)
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html

Launch the program, and click on the Gear at the top of the start
screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your
installed hard
drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh [HijackThis] log [to an appropriate
forum] ...
--

Disclaimer: Renaming the "Windows" key modified some security settings.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Right-click the "Windows" key, select: Permissions

[Example]
Before renaming the "Windows" key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"

--
[Example]

After Renaming the key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--

You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.

Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control". "



MowGreen [MVP]
*-343-* Never Forgotten


Richard said:
Hello,
I've tried everything to get rid of cws.searchx including running
cwshredder, search and destroy, adaware, and hijack this (and deleting
appropriate entries); deleting regsitry entries; and every other thing you
can think of, and the darn thing keeps coming back within 20 minutes of
getting rid of it. I've tried running these programs in safe mode to no
avail. I'm using all the updated versions of each program.

Could someone give me some advice on what to do next? I really don't want
to have to reinstall windows or anything drastic like that. I appreciate
any help you guys can give me.

Thanks
Richard
Click to expand...
Click to expand...
 
K

kimmy

Richard said:
Hello,
I've tried everything to get rid of cws.searchx including running
cwshredder, search and destroy, adaware, and hijack this (and deleting
appropriate entries); deleting regsitry entries; and every other
thing you can think of, and the darn thing keeps coming back within
20 minutes of getting rid of it. I've tried running these programs
in safe mode to no avail. I'm using all the updated versions of each
program.

Could someone give me some advice on what to do next? I really don't
want to have to reinstall windows or anything drastic like that. I
appreciate any help you guys can give me.

Thanks
Richard
Click to expand...
This has been discussed on several forums where you will get better help
than here. This is an xp group not a spyware forum. It's a tough one, but
try these threads where people have managed to get rid of it.

http://www.computing.net/security/wwwboard/forum/11527.html
http://www.dslreports.com/forum/remark,10106852~mode=flat
 
M

MowGreen [MVP]

Richard,

I copied and pasted the response without ascertaining all the info
given was accurate. My fault ... I'll make the person who sent it to
me pay for this transgression :)

Please go here and Register :
http://forum.aumha.org/profile.php?mode=register

Then, post the HijackThis log :
http://forum.aumha.org/viewforum.php?f=30

Sorry about the confusing/inaccurate instructions .

MowGreen [MVP]
*-343-* Never Forgotten


.. said:
Mr. Mow,
Thanks for the fast response. I had a few problems while following your
instructions.

#1--The link you have for CWShredder points to Hijack This. I ran both of
these programs just to be sure.

#2--The findall output said that the culprit DLL was hlped.dll in the
windows\sytem32 folder. This file was not in this directory (or anywhere
else on my computer for that matter), so I could not move it to C:\junk. I
didn't know what to do from here, so I ran Hijack This to see what it said.
It listed a BOH (or something like that, can't remember exactly what it
said) that something about search (sorry, shoulda written more
down)--anyways, the file was boaaofa.dll. I thought this might be some sort
of 'culprit dll,' so I followed the rest of the instructions as this
boaaofa.dll file as the culprit dll file. (this file was located in
C:\windows\system32)

#3--I'm not sure what you mean when you say 'next repeat the above steps,
substitute the 'secondary dll' From: "text/html" as seen in the
"output.txt."

Can you give me some suggestions on the problems I ran into?

Thanks so much for your help,
Richard


Variant 38: CWS.Searchx - About:blank
http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx

If "about:blank" is your issue, follow these steps laid out by
Mike Burgess, MVP :

" Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder (***NOTE: as stated above, if you already have
v.1.57, skip this step***)
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box:
C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll"
file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"

[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html

Launch the program, and click on the Gear at the top of the start
screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your
installed hard
drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh [HijackThis] log [to an appropriate
forum] ...
--

Disclaimer: Renaming the "Windows" key modified some security settings.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Right-click the "Windows" key, select: Permissions

[Example]
Before renaming the "Windows" key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"

--
[Example]

After Renaming the key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--

You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.

Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control". "



MowGreen [MVP]
*-343-* Never Forgotten


Richard Hunt wrote:

Hello,
I've tried everything to get rid of cws.searchx including running
cwshredder, search and destroy, adaware, and hijack this (and deleting
appropriate entries); deleting regsitry entries; and every other thing
Click to expand...
you
can think of, and the darn thing keeps coming back within 20 minutes of
getting rid of it. I've tried running these programs in safe mode to no
avail. I'm using all the updated versions of each program.

Could someone give me some advice on what to do next? I really don't
Click to expand...
want
to have to reinstall windows or anything drastic like that. I
Click to expand...
appreciate
any help you guys can give me.

Thanks
Richard
Click to expand...
Click to expand...
Click to expand...
 
P

Primax

The latest CWShredder didn't work now with CWS.searchx (at least thats
how it detected the spyware)

i found following registry entries that re-insert the spyware at IE.

remove those or search for daodn.dll
run CWShredder
restart

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D932CFA2-2690-493C-B8B2-4446B2FC32D4}]
[HKEY_CLASSES_ROOT\CLSID\{D932CFA2-2690-493C-B8B2-4446B2FC32D4}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CF32DB60-D35E-4D5F-A622-34EEB0673531}]
[HKEY_CLASSES_ROOT\CLSID\{CF32DB60-D35E-4D5F-A622-34EEB0673531}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{0D2BFD8C-D620-4A2F-B264-77C76525633F}]
[HKEY_CLASSES_ROOT\CLSID\{0D2BFD8C-D620-4A2F-B264-77C76525633F}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A7922508-C14A-4D07-A62D-4DDEC39528B1}]
[HKEY_CLASSES_ROOT\CLSID\{A7922508-C14A-4D07-A62D-4DDEC39528B1}\InProcServer32]
@="C:\\WINNT\\System32\\daodn.dll"
"ThreadingModel"="Apartment"

If you can't find any daodn.dll try searching all files containing
other keywords

Below a piece from the daodn.dll file

<div class=searchPanel>
<form id=formWeb action="http://searchx.cc/search.php" method=get
target="_main">
<input type=hidden name="pin" value="13">
<label for=txtWebSearch>Find a Web page containing:</label><br>
<input class=inputs type=text name=ww id=txtWebSearch><br>
<table width=100% cellspacing=0 cellpadding=0 class=searchTable><tr>
<td class=rightButton><input type=button onclick="$Bx();return null;"
value="Search" title="Start Searching"></td>
</tr></table>
</form>
</div>


<script language=javascript>
function $Bx(){
s=escape(formWeb.ww.value);
if(s==""){
alert("Please specify something to search for!");
return;
}
formWeb.submit();
}
function go(text) { formWeb.ww.value=text; $Bx(); }
</script>

<br>


<table border=0 cellpadding=2 cellspacing=0 width=100% height="125"
style="border:1 solid #e53701">
<tr bgcolor="#e53701">
<td>
<font color="white"><b>Hot Searches</b></font>
</td>
</tr>
<tr bgcolor="#eeeeee">
<td><br><font style="line-height:12pt;">
&nbsp;<a class=h href="javascript:go('hydrocodone')">Hydrocodone</a><br>
&nbsp;<a class=h href="javascript:go('moving companies')">Moving
Companies</a><br>
&nbsp;<a class=h href="javascript:go('nevada corporation')">Nevada
Corporation</a><br>
&nbsp;<a class=h href="javascript:go('pool cleaning')">Pool
Cleaning</a><br>
&nbsp;<a class=h href="javascript:go('recreational vehicle
insurance')">Recreational Vehicle Insurance</a><br>
&nbsp;<a class=h href="javascript:go('mortgage refinancing')">Mortgage
Refinancing</a><br>
&nbsp;<a class=h href="javascript:go('casino online')">Casino
Online</a><br>
&nbsp;<a class=h href="javascript:go('spyware')">Spyware</a><br>
&nbsp;<a class=h href="javascript:go('adware')">Adware</a><br>
&nbsp;<a class=h href="javascript:go('antivirus')">Antivirus</a><br><br>
</td>
</tr>
</table>
<br>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Coolwebsearch nightmare!!!! 3
Pesky TROJAN virus won't go away. 4
coolwebsearch 1
Two autocomplete entries won't disappear! 6
"New Hot Deals.exe" keeps showing up on my Desktop, how to get rid of it???? 10
About:Blank home page 8
Removing Spyfalcon 2
IE Home Page Nuisance 3

Top