Solved

Getting Rid of Latest CoolWebSearch Infection

Posted on 2004-08-08
53
2,009 Views
Last Modified: 2010-05-18
Is there anyway of removing the latest version of this little bastard since CWShredder stopped being updated? I thought I had finally done it a few days ago but it's back again. I have used Adaware, Spybot, CWShredder, AboutBuster, Hijackthis and nothing seems able to permanently remove this home page hijacker for good.

I am going to have to reinstall Windows after a format at this rate but would like one more bash at it...

Incidentally, I have tried safe mode and every cranky thing people have suggested to no effect and am giving 500 points for a positive result here...

dc
0
Comment
Question by:dercoss
  • 14
  • 10
  • 10
  • +6
53 Comments
 

Author Comment

by:dercoss
ID: 11748888
Incidentally, I am in the UK and it being midnight here now am off to bed so will reply after a good sleep.....

dc
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11748905
Hello dercoss =)

Before suggesting anything, i want to take a look at ur Hijackthis LOG file.... so can u plzz Download HijackThis v1.98.1, run it, Save the LOG file and Post it here:

Link1 >> http://tools.radiosplace.com/HijackThis.exe
Link2 >> http://spywarewarrior.com/files/HijackThis.exe
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11748925
Hi

Also, for Spybot, have you Immunized your computer with it?

Regards,
Zyloch
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11749172
It is a real pain removing this, but I have used the methods here to my satisfaction..

How to uninstall & remove cool web search browser hijacker

http://www.spysweeper.com/remove-coolwebsearch.html
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11749180
BTW:  User the manual method outlined in the link above..  I found it to be the only real way to kill this...

FE
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11749181
Hi
Yes by all accounts "little bastard" is a fairly reasonable, if not somewhat tame description and it's a real shame about cwshredder. I'd be interested to know if this is anywhere near the mark, as the thing appears to have several different variants that added up make it a real bugger to get rid of,
Manual Spy Bot Removal > CoolWebSearch
http://www.spy-bot.net/CoolWebSearch.asp
Remove coolwebsearch
http://www.spysweeper.com/remove-coolwebsearch.html

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11749192
Bugger - two minutes too late ;))
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11749212
haha...  by a nose..  :)
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11749215
Laugh it up boyo, I'll have my day ;)
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11749226
and isn't it ironic......don't you think, a little too ironic, yes I really do think....
(pay no attention, I've had a long day and am slightly hysterical)

Deb ;)
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11749229
AHH!!! I'm surrounded by smart people ;)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11749341
Deb, there are quite a few times that you beat me to the mark...  along with most of the other experts...!!!  :)  

Zyloch..  well, we will just have to take that as a compliment, eh?  
0
 
LVL 4

Expert Comment

by:ashishdaga
ID: 11749689
Dercoss,

Here is ALL you need:

1.   Google for this file ***:
      "miniremoval_coolwebsearch_smartkiller.exe"
      Download and run it.

2.   Follow instructions on this page:
      http://www.fixyourwindows.com/windowsxpsolutions.htm

Happy Hunting!

*** "miniremoval_coolwebsearch_smartkiller.exe" was recommended by Merijn - creator of  HijackThis and CWShredder


-Ashish
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11751347

http://www.doxdesk.com/parasite/CoolWebSearch.html


If the search page pops up when an about:blank file is loaded, then AboutBuster seems to be catching on.  Third comment from the bottom in this forum explains.
http://www.techimo.com/forum/archive/index.php/t-114687.html

http://www.snapfiles.com/get/aboutbuster.html
0
 

Author Comment

by:dercoss
ID: 11752805
Don't start congratulating each other just yet. The links and suggestions may have worked for earlier versions of this nasty infection but not for the one I'm getting.

Here is the hijackthis log. I might add that the odd looking things come back with slightly different gibberish names each time..

Logfile of HijackThis v1.98.1
Scan saved at 15:35:58, on 09/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\appht32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\iezk32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Don McFarlane\My Documents\utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9ABD55B8-A2CA-BE23-F848-21D286EF33B7} - C:\WINDOWS\ieyp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton AntiVirus 2002.lnk = C:\Program Files\Common Files\Symantec Shared\NMain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab

dc
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11753134
Probable solution for sp.html and related variable named dlls
http://www.tek-tips.com/gviewthread.cfm/pid/760/qid/889849

Part of the hijacker described below
C:\WINDOWS\system32\iezk32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129



Not sure about all of them but the sp.html  and index.html entries are from a start page hijacker  or homesearch hijacker which I think is classified as a cool web variant.  Try aboutbuster and see if you can get rid of it with that.  Run it several times.  The hijacker recreates itself and changes the name of the dll every time.  It's a bad one to get rid of but I haven't tried aboutbuster on it so it might work.  If you can get rid of that one, then you'll have the worst part fixed.  Might repost log for a second look after your done.


0
 

Author Comment

by:dercoss
ID: 11753364
I've tried aboutbuster many times and while it seemingly removes things, back they come. I am just trying SpySweeper which has identified the usual suspects but it remains to be seen if it is only a temporary cure....

dc
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11753768
I had this a few months ago and ended up reinstalling out of frustration.  It imperative to have good tools.  If you want to track it down, you could download
Agent Ransack
Registrar Lite
Regmon
Filemon

You can delete it temporarily with aboutbuster while you have regmon and filemon running.  If you have enough time and patience, you might be able to trace the origin of the file recreation process.  Immediately upon recreation, if you run agent ransack to retrieve every file on the machine and then sort by date, the latest few files will be the new dll's that it has created. You can take their timestamps and correlate to regmon and filemon to find the corresponding registry and file access entries.  At some point, even if the file that creates them is alive for only a second, you might be able to see what spawned the process.  Notice also that if this is the same hijacker, then about:blank files will trigger the searchpage.  Coming onto EE for instance, you will likely incur a tribalfusion popup that, for some reason, also runs an about:blank. That will likely set it off.  Wish I had other tools but don't.  Hijackthis doesn't kill.  I guess aboutbuster doesn't either.  If I find something else, I'll post.  Also notice that the file that does regenerate it might be hidden or only in existence briefly, in which case you'll need to look for the file that created it.  Also, check the run keys in the registry.  Msconfig can have the boxes unchecked but the run keys can still have entries in them.

0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11753787
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11753865
From link above - apparently one dll is hidden - this is the manual procedure if the standards apps don't get it

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit from this hijacker. Time2Early found:
www.likesurfing.com
www.vn.msie.cc (the real web page)

They seem to be selling adware/spyware protection...
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11754007
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11754616
u have got many advices,,, so one more from me ;-)

So First of All Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
I know u have already them, im just giving again :)
and then Turn Off ur System Restore, and fix the following lines in hijakchtis !!!!!

========================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cbjvu.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cbjvu.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbjvu.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9ABD55B8-A2CA-BE23-F848-21D286EF33B7} - C:\WINDOWS\ieyp32.dll
O4 - HKLM\..\Run: [iezk32.exe] C:\WINDOWS\system32\iezk32.exe
====================================================================
then......

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Reboot back in Normal Mode and check if problems are gone
9. If YES then Great, otherwise u can come back and Shout on me, that ..... "Stop Bugging meeeeee >:("

=|
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11754696
Hi

I think Timothyfryers on the right lines for what it's worth - looking around at this pain that lots of people seem to have had lots of trouble with - the key seems to be getting rid of the hidden dll that is continually spawning this problem,

Deb :))
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11755820
Appears similar to #38 on this detail of cws variants-this also references a manual removal technique which varies somewhat with the variant.  Let us know is you are able to remove this thing.  The source for cws is a Russian company which utilizes a growing number of affiliates.  I suspect this thing will get worse over time.

http://www.richardthelionhearted.com/~merijn/cwschronicles.html#aboutblank
0
 

Author Comment

by:dercoss
ID: 11760351
Right, a little update.. I thought timothyfryer might be on to something but unfortunately the hidden dll doesn't exist in the version I seem to have.

For the record...

Spybot, adaware, cwshredder, aboutbuster and spysweeper either fail to spot the cws_ns3 variant or remove it on a temporary basis. Deleting temp files seem to have no lasting effect either. Logging in as administrator or running in safe mode also proves similarily ineffective. Has anybody ever managed to remove this bastard for good....

I have searched google and haven't found any suggestion that works yet...

1 more day and then it'll have to be a format and reinstallation..

dc
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11760535
The only other idea besides roaming google for a fix would be using the regmon filemon scenario above but it can get extremely involved when xp accesses 5000 registry keys per second.  You might be time ahead just to backup and do a new or a repair install.  Sorry I couldn't find something better.  If you do either, you might want to run some boot virus checks first so that all the trouble isn't wasted.  Also, check out http://cityofangels.com/experts/crazyone .  It's possible he found a solution to this start page variant somewhere.  His EE Answerbase is accessible from the drop down menu at the top.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11761105
dercoss.... a last question from me.... does this problem happen with all\new users of the system or is it just ur user who is having problems ??
0
 

Author Comment

by:dercoss
ID: 11762013
Using this link...

http://www.experts-exchange.com/Miscellaneous/New_Net_Users/Q_21042150.html

I seem to have got rid of the malicious little bastard. The question is, what danger is there in turning off the service Network Security Service?

I don't know if it is anything to do with Windows XP as it isn't even on another PC I'm using...

Dc
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11762095
No i also dont have this service on any of my XP system,,,,, never heard abt this service,,,,, u can disable it !!!!!
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11762127
Hi,

Have a look at this thread here: It notes that this service is running on numerous different machines, with different executables listed for that service, which is highly suspicious in my book. As far as I'm aware it isn't normally a resident service on an uninfected xp machine,

http://groups.google.co.uk/groups?q=xp+%22network+security+service%22&hl=en&lr=&ie=UTF-8&newwindow=1&selm=XfmBc.8385%24w07.6807%40newsread2.news.pas.earthlink.net&rnum=1

Are you using msconfig to turn this off? If so I would imagine that it should be fine, but wait for other opinions. Also, could you locate the path to the executable for this service? - Check in services in admin tools in control panel - double click the service and let us know what the path to the exec is - I have a sneaky that this might be your hidden problem,

Deb :))
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11762199
Yea, follow the path to the exe and let us know..  then we can advise you better...
0
 

Author Comment

by:dercoss
ID: 11762291
The path is..

C:\WINDOWS\SYSTEM32\APPHT32.EXE

Since I switched this off in services the problem hasn't returned. I'm going to rename the exe and see what happens before I try and delet it..

dc
0
 

Author Comment

by:dercoss
ID: 11762367
However, I no longer have a program called appht32.exe on the system. Maybe it has gone or maybe it has just gone to ground for a while but the browser hijacking hasn't returned yet...

dc
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11762404
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11762521
Isn't google great..!!
Problem is, I can't read French... :)
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11762543
That's OK Fatal, neither does Google.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11762576
I guess I should explain that the French Connection was the hit I got for appht32.exe, but also look out for a file called image.dll, I had it on my similar infestation.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11763195
I think its a left over service entry from a previous removed malware stuff,,,,, have a look in the registry to find the entry for this service, and delete it after backing it up >> http://www.mvps.org/sramesh2k/Startup.htm
0
 

Author Comment

by:dercoss
ID: 11828278
This is what finally did it for me (from Q_21042150).........................

"Comment from Ken_Goding
Date: 08/06/2004 06:03AM PDT
 Comment  


It won't do enough I'm afraid... I learned that yesterday afternoon.  I'm still working on it, but there's a service that needs to be turned off.  If you hit start - run and type "services.msc", you'll find one called "Network Security Service" that needs to be stopped and disabled, the one I saw was in a different language!

There's a program called About Buster that I'm working with now, it might help, www.downloads.subtram.org/AboutBuster.zip

AVG antivirus is a must for me, I don't trust Symantec anymore.

There's a paid product called BOclean ($40) that people are saying is really good.  I haven't tried it, I try to stay free as much as possible "

dc
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11859811
Hi

Did you actually get anywhere, or did you give up and reformat dercoss? I came home last night to find an infection on my pc - 7 trojans - coolwebsearch and bridge (my partner had a fun week - bless him) - although it was somewhat trial and error I managed to get rid, but it did involve a reasonable amount of registry editing and tracking of services etc - adaware, spybot,hijackthis and trend online also proved helpful. Interestingly enough my fully updated symantec looked on and said absolutely nothing whatsoever....

I have no problem with PAQ/refund - sorry we weren't more help,

Deb :))

0
 

Author Comment

by:dercoss
ID: 11860512
This is what did it for me....




Using this link...

http://www.experts-exchange.com/Miscellaneous/New_Net_Users/Q_21042150.html

I seem to have got rid of the malicious little bastard. The question is, what danger is there in turning off the service Network Security Service?

I don't know if it is anything to do with Windows XP as it isn't even on another PC I'm using...

Dc
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11860534
I have a fairly new install of XP with no upgrades and Network Security Service is not one of the services that came with it.  Unless it was added in sp1 or 2, it is probably either another antivirus program or the service that keeps your virus alive.  You can disable everything in services and still be functional because only one is absolutely necessary and xp won't let you turn it off - remote procedure call - Your safer if you run fewer services, many provide weaknesses that allow viruses to run code.  

That's not to say you should turn them all off.  You will lose functionality in many areas if you do.
The point is that your machine will still run with them off.

I'll come back with some links for you on how to decide which are needed.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11860575
Double check but I think it maintains the HomeSearch virus based on cursory overview of link below and other hits in google for "network security service"
http://www.pchell.com/support/onlythebest.shtml

Looks like this is another virus service
Workstation NetLogon Service

0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11860603
0
 
LVL 15

Expert Comment

by:ericpete
ID: 11861703
Maybe there's something here you can use:

http://www.experts-exchange.com/Q_21069854.html

ep
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11862284
Hi

There is no danger in turning off network security service - it isn't a native xp service - try hiding all microsoft services when you  run msconfig (see checkbox at thew bottom) - this service isn't listed as ms and is undoubtedly the source of your problem I believe. If you can find the registry key that invokes it then delete that too (back up the registry of course prior to making any changes). My solution to my own variant of nasty little git not so cool websearch rested on disabling a similar service and then deleting the registry keys to run it - often found in this key - particularly any services with the value rundll32.exe that aren't immediately obvious to you are worth exporting for backup purposes and then deleting,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11863792
Hi
I cam across this - maybe worth a try?
Startup Cop
http://www.pcmag.com/article2/0,1759,1554244,00.asp

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11863812
Sorry the above isn't free (used to be) but this is and can give you a bit more control over startup items,
Startup Control Panel
http://www.onlythebestfreeware.com/program.asp?program_id=82

Deb :))
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11863839
Deb, here is what I think you may be looking for.  I use it on my personal systems, and it works very nicely.  I also use Mike Lin's Startup Monitor to let me know if an app is trying to place itself in one of my Run Keys...  

And they are both free..  Thanks again Mike..  :)

http://www.mlin.net/StartupCPL.shtml
0
 

Author Comment

by:dercoss
ID: 12125878
I asked for this to be closed some while back. (see 21st August). I thought it had all been sorted out ages ago...

dc
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12154671
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now