Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can't Remove New Variant of CoolWebSearch, Tried everything. Can anyone help me?

Posted on 2004-10-06
7
Medium Priority
?
230 Views
Last Modified: 2013-12-04
Hello,
This is my first post to this forum.
I seem to have a variant of CoolWebSearch that I cannot remove.
I have run CWShredder (from it's own folder in safe mode), I have run Ad-Aware with updated definition files, as well as Spybot S&D with updated definition files. After all of this CoolWebSearch is always found by both spyware programs, 11 or 12 registry entires depending on which program is run. The IE home page is always set to http://t.swapx.cc/* as well. I have tried to solve this al night and have been unsuccessful. hijack this finds a bunch of tlb files that I know should not be there, but I am new to this program and am asking for your help. Any advice would be greatly appreciated.

Below is my HijackThis log (this was also run from safe mode after running CWShredder):

Logfile of HijackThis v1.98.2
Scan saved at 9:48:36 PM, on 10/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cmd.exe
C:\stuff\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: SpyAssassin - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareSafe\AdBlocker.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\n2jagmzobek2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: nvdesk32.dll jm2y42cehften.tlb 8sce00hhxz4.tlb f7lk7381ayz.tlb gxeyxt4euxlj32.tlb ggnm7uy49zp.tlb p3bw8nhdzay7w6.tlb ka6zumv1ierebl.tlb 38eshhimslg.tlb 6n09wspw03skms.tlb 58mikij616an.tlb 108837ugd9k.tlb siajljk7e0.tlb jsv7m75cbt.tlb ro6l0hkz9i.tlb pwtiywiradhm.tlb txnlf3x1h2p6.tlb tkjstxu2aty.tlb 51pnxeyrxi9.tlb bti1d749alel0a.tlb 303155hza7f1tg.tlb ihisfl9o7jrjk.tlb 8zsjxm09zc.tlb x2vu1ltwx4yn.tlb szw7zhghbavm.tlb fcxvzxa2jmfs.tlb xdreevb9sczn18.tlb kftfk3s5gpaip5.tlb 9n9badm44hgfyj.tlb 647jcr7emf84x.tlb 641od7d65p8rx.tlb h9hanimta8.tlb 3kl6dznkei84u.tlb va1kk69zkj.tlb szx86tn9gpj.tlb 3milyal1pac0.tlb 1yepjyrum56.tlb 64owmrs6ekf1.tlb 5xrd44luvns.tlb 0muc7ck6sk.tlb fnxopencgzx2.tlb t8mkdkf9p9oz0.tlb
0
Comment
Question by:Edeneye
  • 4
  • 2
7 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 12236590
Hello Edeneye =)

hmmmmmm so frist make sure u have all these ready with u !!
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then disable ur system restore >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
then close all ur browser and explorer windows, run hijakchtis scan and check the following lines and click on Fix Checked !!

======================================================
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\n2jagmzobek2.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: nvdesk32.dll jm2y42cehften.tlb 8sce00hhxz4.tlb f7lk7381ayz.tlb gxeyxt4euxlj32.tlb ggnm7uy49zp.tlb p3bw8nhdzay7w6.tlb ka6zumv1ierebl.tlb 38eshhimslg.tlb 6n09wspw03skms.tlb 58mikij616an.tlb 108837ugd9k.tlb siajljk7e0.tlb jsv7m75cbt.tlb ro6l0hkz9i.tlb pwtiywiradhm.tlb txnlf3x1h2p6.tlb tkjstxu2aty.tlb 51pnxeyrxi9.tlb bti1d749alel0a.tlb 303155hza7f1tg.tlb ihisfl9o7jrjk.tlb 8zsjxm09zc.tlb x2vu1ltwx4yn.tlb szw7zhghbavm.tlb fcxvzxa2jmfs.tlb xdreevb9sczn18.tlb kftfk3s5gpaip5.tlb 9n9badm44hgfyj.tlb 647jcr7emf84x.tlb 641od7d65p8rx.tlb h9hanimta8.tlb 3kl6dznkei84u.tlb va1kk69zkj.tlb szx86tn9gpj.tlb 3milyal1pac0.tlb 1yepjyrum56.tlb 64owmrs6ekf1.tlb 5xrd44luvns.tlb 0muc7ck6sk.tlb fnxopencgzx2.tlb t8mkdkf9p9oz0.tlb
===========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12236600
and from next time, before posting log here, have it analysed at this site >> http://www.hijackthis.de/index.php?langselect=english
it can automatically tell u that what are Safe and Nasty entries present in ur LOG and how to deal with them :)

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12236654
Edeneye
Extremely good CWS article here:
http://www.silentrunners.org/sr_cwsremoval.html

This link (largely courtesy of COBOLDinosaur) contains everything you need to know about spyware, scumware, adware, hijacked home pages etc and the tools you need to get rid of them:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

Cheers

JamesDS
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Edeneye
ID: 12240088
Hello,
Thank you both for your quick replies.
I have gone through the steps layed out by SheharyaarSaahil. (Have also read your links JamesDS) and here's what's up now.
IE home page stays where it is set at.
Ad-aware no longer finds anything, nor does cwshredder.
Spy-bot still finds 5 DSO-Exploits after every reboot even after the have been fixed by spy-bot. They are all in HKEY_USERS and all end with "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
http://www.hijackthis.de/index.php?langselect=english comes up with a few "possibly nasty" but nothing stands out to me as non-Windows related (Messenger and Reference 2001 are part of Windows and MS Encarta respectively right?)
Anything else seen in this log?

Logfile of HijackThis v1.98.2
Scan saved at 1:24:48 PM, on 10/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\Promon.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Sktempdm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\stuff\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: SpyAssassin - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareSafe\AdBlocker.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12240772
ok ur log looks clean now... good job :)
and abt spybot problem,,,, so that's a common bug in it, u have to follow the instructions here to get rid of it :)

Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html

do it, and post back the results =)
0
 

Author Comment

by:Edeneye
ID: 12261598
Thanks a lot. Your answers did the trick. Just had to manually edit the registry for those Spybot detected DSO exploits and they were gone for good. As for the CoolWebSearch stuff, it never came back either.

Your time and effort is greatly appreciated.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12261634
great news.... good job Eden !! :)
Cheers ^_^
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question