Solved

Can't Remove New Variant of CoolWebSearch, Tried everything. Can anyone help me?

Posted on 2004-10-06
7
222 Views
Last Modified: 2013-12-04
Hello,
This is my first post to this forum.
I seem to have a variant of CoolWebSearch that I cannot remove.
I have run CWShredder (from it's own folder in safe mode), I have run Ad-Aware with updated definition files, as well as Spybot S&D with updated definition files. After all of this CoolWebSearch is always found by both spyware programs, 11 or 12 registry entires depending on which program is run. The IE home page is always set to http://t.swapx.cc/* as well. I have tried to solve this al night and have been unsuccessful. hijack this finds a bunch of tlb files that I know should not be there, but I am new to this program and am asking for your help. Any advice would be greatly appreciated.

Below is my HijackThis log (this was also run from safe mode after running CWShredder):

Logfile of HijackThis v1.98.2
Scan saved at 9:48:36 PM, on 10/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cmd.exe
C:\stuff\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: SpyAssassin - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareSafe\AdBlocker.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\n2jagmzobek2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: nvdesk32.dll jm2y42cehften.tlb 8sce00hhxz4.tlb f7lk7381ayz.tlb gxeyxt4euxlj32.tlb ggnm7uy49zp.tlb p3bw8nhdzay7w6.tlb ka6zumv1ierebl.tlb 38eshhimslg.tlb 6n09wspw03skms.tlb 58mikij616an.tlb 108837ugd9k.tlb siajljk7e0.tlb jsv7m75cbt.tlb ro6l0hkz9i.tlb pwtiywiradhm.tlb txnlf3x1h2p6.tlb tkjstxu2aty.tlb 51pnxeyrxi9.tlb bti1d749alel0a.tlb 303155hza7f1tg.tlb ihisfl9o7jrjk.tlb 8zsjxm09zc.tlb x2vu1ltwx4yn.tlb szw7zhghbavm.tlb fcxvzxa2jmfs.tlb xdreevb9sczn18.tlb kftfk3s5gpaip5.tlb 9n9badm44hgfyj.tlb 647jcr7emf84x.tlb 641od7d65p8rx.tlb h9hanimta8.tlb 3kl6dznkei84u.tlb va1kk69zkj.tlb szx86tn9gpj.tlb 3milyal1pac0.tlb 1yepjyrum56.tlb 64owmrs6ekf1.tlb 5xrd44luvns.tlb 0muc7ck6sk.tlb fnxopencgzx2.tlb t8mkdkf9p9oz0.tlb
0
Comment
Question by:Edeneye
  • 4
  • 2
7 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12236590
Hello Edeneye =)

hmmmmmm so frist make sure u have all these ready with u !!
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then disable ur system restore >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
then close all ur browser and explorer windows, run hijakchtis scan and check the following lines and click on Fix Checked !!

======================================================
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\n2jagmzobek2.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: nvdesk32.dll jm2y42cehften.tlb 8sce00hhxz4.tlb f7lk7381ayz.tlb gxeyxt4euxlj32.tlb ggnm7uy49zp.tlb p3bw8nhdzay7w6.tlb ka6zumv1ierebl.tlb 38eshhimslg.tlb 6n09wspw03skms.tlb 58mikij616an.tlb 108837ugd9k.tlb siajljk7e0.tlb jsv7m75cbt.tlb ro6l0hkz9i.tlb pwtiywiradhm.tlb txnlf3x1h2p6.tlb tkjstxu2aty.tlb 51pnxeyrxi9.tlb bti1d749alel0a.tlb 303155hza7f1tg.tlb ihisfl9o7jrjk.tlb 8zsjxm09zc.tlb x2vu1ltwx4yn.tlb szw7zhghbavm.tlb fcxvzxa2jmfs.tlb xdreevb9sczn18.tlb kftfk3s5gpaip5.tlb 9n9badm44hgfyj.tlb 647jcr7emf84x.tlb 641od7d65p8rx.tlb h9hanimta8.tlb 3kl6dznkei84u.tlb va1kk69zkj.tlb szx86tn9gpj.tlb 3milyal1pac0.tlb 1yepjyrum56.tlb 64owmrs6ekf1.tlb 5xrd44luvns.tlb 0muc7ck6sk.tlb fnxopencgzx2.tlb t8mkdkf9p9oz0.tlb
===========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12236600
and from next time, before posting log here, have it analysed at this site >> http://www.hijackthis.de/index.php?langselect=english
it can automatically tell u that what are Safe and Nasty entries present in ur LOG and how to deal with them :)

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12236654
Edeneye
Extremely good CWS article here:
http://www.silentrunners.org/sr_cwsremoval.html

This link (largely courtesy of COBOLDinosaur) contains everything you need to know about spyware, scumware, adware, hijacked home pages etc and the tools you need to get rid of them:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

Cheers

JamesDS
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:Edeneye
ID: 12240088
Hello,
Thank you both for your quick replies.
I have gone through the steps layed out by SheharyaarSaahil. (Have also read your links JamesDS) and here's what's up now.
IE home page stays where it is set at.
Ad-aware no longer finds anything, nor does cwshredder.
Spy-bot still finds 5 DSO-Exploits after every reboot even after the have been fixed by spy-bot. They are all in HKEY_USERS and all end with "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
http://www.hijackthis.de/index.php?langselect=english comes up with a few "possibly nasty" but nothing stands out to me as non-Windows related (Messenger and Reference 2001 are part of Windows and MS Encarta respectively right?)
Anything else seen in this log?

Logfile of HijackThis v1.98.2
Scan saved at 1:24:48 PM, on 10/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\Promon.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Sktempdm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\stuff\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: SpyAssassin - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareSafe\AdBlocker.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12240772
ok ur log looks clean now... good job :)
and abt spybot problem,,,, so that's a common bug in it, u have to follow the instructions here to get rid of it :)

Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html

do it, and post back the results =)
0
 

Author Comment

by:Edeneye
ID: 12261598
Thanks a lot. Your answers did the trick. Just had to manually edit the registry for those Spybot detected DSO exploits and they were gone for good. As for the CoolWebSearch stuff, it never came back either.

Your time and effort is greatly appreciated.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12261634
great news.... good job Eden !! :)
Cheers ^_^
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now