Getting Rid of Latest CoolWebSearch Infection

Incidentally, I am in the UK and it being midnight here now am off to bed so will reply after a good sleep.....

dc

Hello dercoss =)

Before suggesting anything, i want to take a look at ur Hijackthis LOG file.... so can u plzz Download HijackThis v1.98.1, run it, Save the LOG file and Post it here:

Link1 >> http://tools.radiosplace.com/HijackThis.exe
Link2 >> http://spywarewarrior.com/files/HijackThis.exe

Hi

Also, for Spybot, have you Immunized your computer with it?

Regards,
Zyloch

It is a real pain removing this, but I have used the methods here to my satisfaction..

How to uninstall & remove cool web search browser hijacker

http://www.spysweeper.com/remove-coolwebsearch.html

BTW:  User the manual method outlined in the link above..  I found it to be the only real way to kill this...

FE

Hi
Yes by all accounts "little bastard" is a fairly reasonable, if not somewhat tame description and it's a real shame about cwshredder. I'd be interested to know if this is anywhere near the mark, as the thing appears to have several different variants that added up make it a real bugger to get rid of,
Manual Spy Bot Removal > CoolWebSearch
http://www.spy-bot.net/CoolWebSearch.asp
Remove coolwebsearch
http://www.spysweeper.com/remove-coolwebsearch.html

Deb :))

Bugger - two minutes too late ;))

haha...  by a nose..  :)

Laugh it up boyo, I'll have my day ;)

and isn't it ironic......don't you think, a little too ironic, yes I really do think....
(pay no attention, I've had a long day and am slightly hysterical)

Deb ;)

AHH!!! I'm surrounded by smart people ;)

Deb, there are quite a few times that you beat me to the mark...  along with most of the other experts...!!!  :)  

Zyloch..  well, we will just have to take that as a compliment, eh?  

Dercoss,

Here is ALL you need:

1.   Google for this file ***:
      "miniremoval_coolwebsearch_smartkiller.exe"
      Download and run it.

2.   Follow instructions on this page:
      http://www.fixyourwindows.com/windowsxpsolutions.htm

Happy Hunting!

*** "miniremoval_coolwebsearch_smartkiller.exe" was recommended by Merijn - creator of  HijackThis and CWShredder


-Ashish

http://www.doxdesk.com/parasite/CoolWebSearch.html


If the search page pops up when an about:blank file is loaded, then AboutBuster seems to be catching on.  Third comment from the bottom in this forum explains.
http://www.techimo.com/forum/archive/index.php/t-114687.html

http://www.snapfiles.com/get/aboutbuster.html

Don't start congratulating each other just yet. The links and suggestions may have worked for earlier versions of this nasty infection but not for the one I'm getting.

Here is the hijackthis log. I might add that the odd looking things come back with slightly different gibberish names each time..

Logfile of HijackThis v1.98.1
Scan saved at 15:35:58, on 09/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\appht32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\iezk32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Don McFarlane\My Documents\utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9ABD55B8-A2CA-BE23-F848-21D286EF33B7} - C:\WINDOWS\ieyp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton AntiVirus 2002.lnk = C:\Program Files\Common Files\Symantec Shared\NMain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab

dc

Probable solution for sp.html and related variable named dlls
http://www.tek-tips.com/gviewthread.cfm/pid/760/qid/889849

Part of the hijacker described below
C:\WINDOWS\system32\iezk32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129



Not sure about all of them but the sp.html  and index.html entries are from a start page hijacker  or homesearch hijacker which I think is classified as a cool web variant.  Try aboutbuster and see if you can get rid of it with that.  Run it several times.  The hijacker recreates itself and changes the name of the dll every time.  It's a bad one to get rid of but I haven't tried aboutbuster on it so it might work.  If you can get rid of that one, then you'll have the worst part fixed.  Might repost log for a second look after your done.

I've tried aboutbuster many times and while it seemingly removes things, back they come. I am just trying SpySweeper which has identified the usual suspects but it remains to be seen if it is only a temporary cure....

dc

I had this a few months ago and ended up reinstalling out of frustration.  It imperative to have good tools.  If you want to track it down, you could download
Agent Ransack
Registrar Lite
Regmon
Filemon

You can delete it temporarily with aboutbuster while you have regmon and filemon running.  If you have enough time and patience, you might be able to trace the origin of the file recreation process.  Immediately upon recreation, if you run agent ransack to retrieve every file on the machine and then sort by date, the latest few files will be the new dll's that it has created. You can take their timestamps and correlate to regmon and filemon to find the corresponding registry and file access entries.  At some point, even if the file that creates them is alive for only a second, you might be able to see what spawned the process.  Notice also that if this is the same hijacker, then about:blank files will trigger the searchpage.  Coming onto EE for instance, you will likely incur a tribalfusion popup that, for some reason, also runs an about:blank. That will likely set it off.  Wish I had other tools but don't.  Hijackthis doesn't kill.  I guess aboutbuster doesn't either.  If I find something else, I'll post.  Also notice that the file that does regenerate it might be hidden or only in existence briefly, in which case you'll need to look for the file that created it.  Also, check the run keys in the registry.  Msconfig can have the boxes unchecked but the run keys can still have entries in them.

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

From link above - apparently one dll is hidden - this is the manual procedure if the standards apps don't get it

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit from this hijacker. Time2Early found:
www.likesurfing.com
www.vn.msie.cc (the real web page)

They seem to be selling adware/spyware protection...

http://www.akadia.com/services/about_blank_virus.html

u have got many advices,,, so one more from me ;-)

So First of All Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
I know u have already them, im just giving again :)
and then Turn Off ur System Restore, and fix the following lines in hijakchtis !!!!!

========================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9ABD55B8-A2CA-BE23-F848-21D286EF33B7} - C:\WINDOWS\ieyp32.dll
O4 - HKLM\..\Run: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
====================================================================
then......

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Reboot back in Normal Mode and check if problems are gone
9. If YES then Great, otherwise u can come back and Shout on me, that ..... "Stop Bugging meeeeee >:("

=|

Hi

I think Timothyfryers on the right lines for what it's worth - looking around at this pain that lots of people seem to have had lots of trouble with - the key seems to be getting rid of the hidden dll that is continually spawning this problem,

Deb :))

Appears similar to #38 on this detail of cws variants-this also references a manual removal technique which varies somewhat with the variant.  Let us know is you are able to remove this thing.  The source for cws is a Russian company which utilizes a growing number of affiliates.  I suspect this thing will get worse over time.

http://www.richardthelionhearted.com/~merijn/cwschronicles.html#aboutblank

Right, a little update.. I thought timothyfryer might be on to something but unfortunately the hidden dll doesn't exist in the version I seem to have.

For the record...

Spybot, adaware, cwshredder, aboutbuster and spysweeper either fail to spot the cws_ns3 variant or remove it on a temporary basis. Deleting temp files seem to have no lasting effect either. Logging in as administrator or running in safe mode also proves similarily ineffective. Has anybody ever managed to remove this bastard for good....

I have searched google and haven't found any suggestion that works yet...

1 more day and then it'll have to be a format and reinstallation..

dc

The only other idea besides roaming google for a fix would be using the regmon filemon scenario above but it can get extremely involved when xp accesses 5000 registry keys per second.  You might be time ahead just to backup and do a new or a repair install.  Sorry I couldn't find something better.  If you do either, you might want to run some boot virus checks first so that all the trouble isn't wasted.  Also, check out http://cityofangels.com/experts/crazyone .  It's possible he found a solution to this start page variant somewhere.  His EE Answerbase is accessible from the drop down menu at the top.

dercoss.... a last question from me.... does this problem happen with all\new users of the system or is it just ur user who is having problems ??

Using this link...

https://www.experts-exchange.com/questions/21042150/CWS-NS3-Hijacker.html

I seem to have got rid of the malicious little bastard. The question is, what danger is there in turning off the service Network Security Service?

I don't know if it is anything to do with Windows XP as it isn't even on another PC I'm using...

Dc

No i also dont have this service on any of my XP system,,,,, never heard abt this service,,,,, u can disable it !!!!!

Hi,

Have a look at this thread here: It notes that this service is running on numerous different machines, with different executables listed for that service, which is highly suspicious in my book. As far as I'm aware it isn't normally a resident service on an uninfected xp machine,

http://groups.google.co.uk/groups?q=xp+%22network+security+service%22&hl=en&lr=&ie=UTF-8&newwindow=1&selm=XfmBc.8385%24w07.6807%40newsread2.news.pas.earthlink.net&rnum=1

Are you using msconfig to turn this off? If so I would imagine that it should be fine, but wait for other opinions. Also, could you locate the path to the executable for this service? - Check in services in admin tools in control panel - double click the service and let us know what the path to the exec is - I have a sneaky that this might be your hidden problem,

Deb :))

Yea, follow the path to the exe and let us know..  then we can advise you better...

The path is..

C:\WINDOWS\SYSTEM32\APPHT32.EXE

Since I switched this off in services the problem hasn't returned. I'm going to rename the exe and see what happens before I try and delet it..

dc

However, I no longer have a program called appht32.exe on the system. Maybe it has gone or maybe it has just gone to ground for a while but the browser hijacking hasn't returned yet...

dc

http://translate.google.com/translate?hl=en&sl=fr&u=http://www.commentcamarche.net/forum/affich-821254-Only-the-Best-Image-dll-e&prev=/search%3Fq%3DAPPHT32.EXE%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DG

Isn't google great..!!
Problem is, I can't read French... :)

That's OK Fatal, neither does Google.

I guess I should explain that the French Connection was the hit I got for appht32.exe, but also look out for a file called image.dll, I had it on my similar infestation.

I think its a left over service entry from a previous removed malware stuff,,,,, have a look in the registry to find the entry for this service, and delete it after backing it up >> http://www.mvps.org/sramesh2k/Startup.htm

This is what finally did it for me (from Q_21042150).........................

"Comment from Ken_Goding
Date: 08/06/2004 06:03AM PDT
 Comment  


It won't do enough I'm afraid... I learned that yesterday afternoon.  I'm still working on it, but there's a service that needs to be turned off.  If you hit start - run and type "services.msc", you'll find one called "Network Security Service" that needs to be stopped and disabled, the one I saw was in a different language!

There's a program called About Buster that I'm working with now, it might help, www.downloads.subtram.org/AboutBuster.zip

AVG antivirus is a must for me, I don't trust Symantec anymore.

There's a paid product called BOclean ($40) that people are saying is really good.  I haven't tried it, I try to stay free as much as possible "

dc

Hi

Did you actually get anywhere, or did you give up and reformat dercoss? I came home last night to find an infection on my pc - 7 trojans - coolwebsearch and bridge (my partner had a fun week - bless him) - although it was somewhat trial and error I managed to get rid, but it did involve a reasonable amount of registry editing and tracking of services etc - adaware, spybot,hijackthis and trend online also proved helpful. Interestingly enough my fully updated symantec looked on and said absolutely nothing whatsoever....

I have no problem with PAQ/refund - sorry we weren't more help,

Deb :))

This is what did it for me....




Using this link...

https://www.experts-exchange.com/questions/21042150/CWS-NS3-Hijacker.html

I seem to have got rid of the malicious little bastard. The question is, what danger is there in turning off the service Network Security Service?

I don't know if it is anything to do with Windows XP as it isn't even on another PC I'm using...

Dc

I have a fairly new install of XP with no upgrades and Network Security Service is not one of the services that came with it.  Unless it was added in sp1 or 2, it is probably either another antivirus program or the service that keeps your virus alive.  You can disable everything in services and still be functional because only one is absolutely necessary and xp won't let you turn it off - remote procedure call - Your safer if you run fewer services, many provide weaknesses that allow viruses to run code.  

That's not to say you should turn them all off.  You will lose functionality in many areas if you do.
The point is that your machine will still run with them off.

I'll come back with some links for you on how to decide which are needed.

Double check but I think it maintains the HomeSearch virus based on cursory overview of link below and other hits in google for "network security service"
http://www.pchell.com/support/onlythebest.shtml

Looks like this is another virus service
Workstation NetLogon Service

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/svrxpser_5.mspx

http://www.theeldergeek.com/services_guide.htm
http://www.microsoft.com/downloads/details.aspx?FamilyId=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch07.mspx

Maybe there's something here you can use:

https://www.experts-exchange.com/questions/21069854/Problem-1-Backdoor-Trojan-WINPE-DLL-or-winpe-dll-Problem-2-CWS-NS3-CWS-NS3-Hijacker-CWS-Yun.html

ep

Hi

There is no danger in turning off network security service - it isn't a native xp service - try hiding all microsoft services when you  run msconfig (see checkbox at thew bottom) - this service isn't listed as ms and is undoubtedly the source of your problem I believe. If you can find the registry key that invokes it then delete that too (back up the registry of course prior to making any changes). My solution to my own variant of nasty little git not so cool websearch rested on disabling a similar service and then deleting the registry keys to run it - often found in this key - particularly any services with the value rundll32.exe that aren't immediately obvious to you are worth exporting for backup purposes and then deleting,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deb :))

Hi
I cam across this - maybe worth a try?
Startup Cop
http://www.pcmag.com/article2/0,1759,1554244,00.asp

Deb :))

Sorry the above isn't free (used to be) but this is and can give you a bit more control over startup items,
Startup Control Panel
http://www.onlythebestfreeware.com/program.asp?program_id=82

Deb :))

Deb, here is what I think you may be looking for.  I use it on my personal systems, and it works very nicely.  I also use Mike Lin's Startup Monitor to let me know if an app is trying to place itself in one of my Run Keys...  

And they are both free..  Thanks again Mike..  :)

http://www.mlin.net/StartupCPL.shtml

I asked for this to be closed some while back. (see 21st August). I thought it had all been sorted out ages ago...

dc