|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-23-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Coolwebsearch removal difficultyGo to the Tech-Forums Discussion Home PagePosted by: Bullit Hi all, having trouble removing coolwebsearch browser hijacker I have used the coolwebshredder to remove it but it keeps coming back. My virus scan shows a clean machine. Adaware shows clean pestpatrol shows the reinfections but not the causing file I think it is to do with my winlogon.exe - would like to get a new version of this and put it in? that possible? any other suggestions? Posted by: Hey man... Is [url="http://www.kephyr.com/spywarescanner/library/coolwebsearch/index.phtml"]this[/url] of any use at all. It does mention the coolwebshredder but also directs you to some manual removal instructions... Posted by: Lobos Download AdAware 6 181 from here: [url]http://www.lavasoftusa.com/[/url] Before you scan with AdAware, check for updates of the reference file by using the "webupdate". Then ........ Make sure the following settings are made and on -------"ON=GREEN" From main window :Click "Start" then " Activate in-depth scan" Then...... Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files" Then......... Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot" Then...... click "proceed" to save your settings. Now to scan it´s just to click the "Scan" button. When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu) Then Download Spybot - Search & Destroy from [url]http://security.kolla.de[/url] After installing, first press Online, and search for, put a check mark at, and install all updates. Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED reboot Please do this. Click here: [url]http://www.sherrylynn.us/HijackThis.exe[/url] to download Hijack This. Save it to it’s own folder (not temporary files or the desktop). Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here. DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise. Posted by: Bullit excellent. I have managed to find the blighters. This is a great post and I'm sure I'll be refering to it in the future. Thanks wolf Posted by: Another victory in the war against spyware! WTG Bullit...:cool: Posted by: Lobos Your welcome Bull glad to be of help Posted by: Bullit I ran the hijackthis.exe what's all the "%74%6f%72%65%7b%30%34%31%39%61%66%65%62%" in the internet explore settings? Logfile of HijackThis v1.97.7 Scan saved at 22:19:59, on 05/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe C:\Program Files\Trend Micro\Internet Security\PCClient.exe C:\Program Files\Trend Micro\Internet Security\pccguide.exe C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe C:\Program Files\Trend Micro\Internet Security\tmproxy.exe C:\Program Files\Trend Micro\Internet Security\PccPfw.exe C:\Documents and Settings\My Documents\Downloads\other tools\coolwebpageshredder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE" O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessi onal.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - HKCU\..\Run: [AltoMB_service] C:\Program Files\AltoSoftware\AltoMemoryBooster\AltoMBsrv.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O13 - DefaultPrefix: O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab[/url] O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url] O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.napster.com/client/isetup.cab[/url] O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url] O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url]http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx[/url] Posted by: Bullit removed the %72% junk anyway Posted by: Lobos run CWShredder make sure its updated first Run it, press 'Fix', and allow it to fix all it finds. And remember to click "Fix" (Not "Scan only") reboot Posted by: Lobos after you run CWShredder run hjt put a check next to this close all browsers and hit fix R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// %63%3a%5c%73%79%73%74%65%6d%20%76%6f%6c%75%6d%65%2 0%69%6e%66%6f%72%6d%61%74%69%6f%6e%5c%5f%72%65%73% 74%6f%72%65%7b%30%34%31%39%61%66%65%62%2d%35%63%37 %31%2d%34%34%66%36%2d%62%64%64%38%2d%34%63%62%30%6 1%62%32%36%33%33%39%39%7d%5c%72%70%34%5c%61%30%30% 30% O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe reboot into safe mode make sure delete C:\Program Files\Q330994.exe Posted by: Bullit C:\Program Files\Q330994.exe that was it - missed that one sittin there this has been the most hoops i have had to jump thru because of malware like this dang Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |