SOLVED: HELP! THIS IS URGENT!

April 14th, 2005, 5:44 pm

Well...apparently...somehow...CoolWebSearch was installed on my computer. Microsoft AntiSpyware always detects it, and removes it, but it comes back.

I used CWShredder to try and remove it, it found it, it said it was removed, but it came back.

I only have one CoolWebSearch.

CWS.SVCHOST

That's the one I have, and it won't go away.

Please help me get rid of this. I tried using Ad-Aware SE, Microsoft AntiSpyware, CWShredder....nothing works. I need your help. This is urgent!

Thanks,
Craig

[ATNO/TW]

April 14th, 2005, 6:59 pm

Nice to see you recognized it and used shreader. Post a hijackthis log but follow all steps here first: http://www.ozzu.com/ftopic34568.html

April 14th, 2005, 7:22 pm

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:58 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Sygate\SPF\smc.exe
F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Superhunter\NetSpeeder\NetSpeeder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\PCACCE~1\mem.exe
C:\WINDOWS\system32\tbctray.exe
F:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Startup Faster 2004\sfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\JetToolBar\JetTB.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AIM\aim.exe
F:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.189.173.74:80
R3 - Default URLSearchHook is missing
O1 - Hosts: 70.84.13.131 100webspace.com #0
O1 - Hosts: 66.36.242.82 66.36.242.82 #0
O1 - Hosts: 66.226.64.7 http://www.allstargaming.net #0
O1 - Hosts: 216.155.200.237 babelfish.altavista.com #0
O1 - Hosts: 198.64.158.250 http://www.spiritualists.org #0
O1 - Hosts: 162.140.64.125 bensguide.gpo.gov #0
O1 - Hosts: 193.229.9.131 http://www.bwgen.com #0
O1 - Hosts: 64.141.32.201 http://www.canaca.com #0
O1 - Hosts: 216.109.112.135 ask.yahoo.com #0
O1 - Hosts: 66.117.8.20 doom3.filefront.com #0
O1 - Hosts: 69.94.66.151 http://www.alltooflat.com #0
O1 - Hosts: 207.44.214.54 http://www.emuparadise.org #0
O1 - Hosts: 24.80.226.117 http://www.gpemu.cjb.net #0
O1 - Hosts: 209.59.4.130 http://www.geek.com #0
O1 - Hosts: 216.66.28.247 theplaceforitall.com #0
O1 - Hosts: 69.90.153.229 homepage-host.uni.cc #0
O1 - Hosts: 63.88.172.66 http://www.winnetmag.com #0
O1 - Hosts: 206.190.44.47 playlist.yahoo.com #0
O1 - Hosts: 67.19.128.194 http://www.spiralpages.com #0
O1 - Hosts: 207.150.192.12 http://www.xeofreestyle.com #0
O1 - Hosts: 212.78.220.207 http://www.lycos.co.uk #0
O1 - Hosts: 212.78.204.210 forums.tripod.lycos.co.uk #0
O1 - Hosts: 66.102.15.101 macca1.blogspot.com #0
O1 - Hosts: 216.92.56.121 http://www.duxcw.com #0
O1 - Hosts: 205.234.158.122 http://www.phpbb.com #0
O1 - Hosts: 209.197.254.63 http://www.phpbbhacks.com #0
O1 - Hosts: 128.125.19.183 www-scf.usc.edu #0
O1 - Hosts: 64.151.193.203 http://www.profileads.com #0
O1 - Hosts: 216.241.32.130 reflexive.net #0
O1 - Hosts: 66.152.98.201 http://www.cyberwalker.net #0
O1 - Hosts: 216.241.32.130 http://www.ricochetlostworlds.com #0
O1 - Hosts: 81.3.150.144 http://www.soft-best.net #0
O1 - Hosts: 69.50.165.90 projectw.org #0
O1 - Hosts: 207.178.165.2 http://www.technewsworld.com #0
O1 - Hosts: 209.59.140.145 http://www.phpbbforfree.com #0
O1 - Hosts: 207.106.91.63 http://www.thefreesite.com #0
O1 - Hosts: 66.35.250.162 http://www.thinkgeek.com #0
O1 - Hosts: 67.18.54.176 tyler.woktiny.com #0
O1 - Hosts: 216.193.220.209 http://www.uncutgraphix.com #0
O1 - Hosts: 207.36.181.118 http://www.chami.com #0
O1 - Hosts: 67.159.5.63 http://www.x-ddl.com #0
O1 - Hosts: 66.34.190.240 http://www.codejock.com #0
O1 - Hosts: 69.56.175.235 www2.hardocp.com #0
O1 - Hosts: 207.44.192.98 http://www.aimencrypt.com #0
O1 - Hosts: 67.123.30.114 http://www.blackviper.com #0
O1 - Hosts: 207.46.245.92 http://www.microsoft.com #0
O1 - Hosts: 64.235.246.143 http://www.edownloads.org #0
O1 - Hosts: 195.8.71.249 http://www.sean.co.uk #0
O1 - Hosts: 204.157.7.84 filext.com #0
O1 - Hosts: 66.98.154.62 http://www.acidfonts.com #0
O2 - BHO: IeControler Class - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - F:\Program Files\Superhunter\NetSpeeder\IEMate.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - F:\Program Files\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O8 - Extra context menu item: &NeoTrace It! - F:\Program Files\NeoTracePro\NTXcontext.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - F:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - F:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - F:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - F:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweakSE2\PopUp Blocker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\Program Files\NeoTracePro\NTXtoolbar.htm (HKCU)
O11 - Options group: [!ANetSpeeder] NetSpeeder
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://vbb.fairlawnschools.org/XUpload.ocx
O20 - Winlogon Notify: WB - F:\Program Files\Stardock\Object Desktop\WindowBlinds\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - F:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

AND NO..IT'S NOT FLASHGET

[ATNO/TW]

April 14th, 2005, 7:34 pm

It might not be Flashget, but you edited your log. It's impossible for you to have only one 04 Run entry with all those startup programs running.

Try again and be honest this time.

April 14th, 2005, 7:54 pm

You are calling me a liar? I use something called Startup Faster 2004. It puts the startup things in a different spot. I know that everything else is fine. I checked the MSCONFIG. Next time...don't blame me. I didn't edit the log. WHY would I edit my log?

[ATNO/TW]

April 14th, 2005, 7:58 pm

Fine...then you figure out where the registry entries are and fix them yourself...I'm out.

April 14th, 2005, 8:12 pm

Heh...wow...some help you are....IT'S NOT ANY OF MY PROGRAMS STARTING UP. That I'm sure about. Have more patients dude.

[ATNO/TW]

April 14th, 2005, 8:23 pm

I have a ton of patience. There isn't a single sign ( that I can see at least of cool websearch in your log). I can't help you until you provide your run proggies or more details. Sorry

April 14th, 2005, 8:42 pm

I'm telling you. It has nothing to do what is starting up. When I start IE, MS AntiSpyWare tells me that CoolWebSearch was trying to hijack the browser. So it prevents it from happening. It asks me if I want to remove it, I say yes, it says it removes it. Then the browser is fine. When I reboot, and open IE, the same thing happens all over again...I just scanned with like 10 different spyware scanners, used CWShredder, and other things. It doesn't make sense.

This is the DLL MS AntiSpyware said was trying to hijack the browser with CoolWebSearch.

C:\Windows\System32\shdocvw.dll

Maybe you could tell me how to unload the DLL, and then re-download the originial one that's not infected?

Plus, I also looked for the registry keys that are supposed to be added and/or changed by CoolWebSearch, and I didn't find any. So it might just be this DLL that's loaded when IE starts, MS AntiSpyware doesn't detect it unless I open IE.

Thanks,
Craig

[ATNO/TW]

April 14th, 2005, 9:03 pm

Well, first my apologies for getting irritated earlier. You didn't help much.

The shdocvw.dll library is required by windows and is used to display the folders on your system (e.g. c:program files). Windows will not operate without shdocvw.dll.

I have no idea why your's keeps flagging the CWS. Partly do to the fact that I've never used the MS Anti-spyware. Still I see nothing in your log that suggests it and being unable to view your startup Run entries I'm unable to determine the root cause.

[ATNO/TW]

April 14th, 2005, 9:24 pm

I have no idea what this is:
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - F:\Program Files\PRMT6\PRMTIE\prmtie5.htm

and several other references you have to it in your log. Almost everything I could find is in languages I couldn't read, but I'm guessing PRMTIE is a nix via the Google translations..

April 15th, 2005, 5:51 am

Yea...that htm file is from a translation program, my favorite. It doesn't contain spyware.

Um...can you tell me how to unload DLL files? I'll try and send you a picture of what MS Antispyware says when I get home from school.

Until then, see if you can tell me how to unload DLL files.

Thanks,
Craig

[ATNO/TW]

April 15th, 2005, 9:25 am

Sorry, I missed that question earlier. That's pretty easy really. THese instructions should do the trick, but be really careful with that one. Make sure you've made backups and what not, because you screw that one up and you'll be reinstalling everything from scratch:
http://www.iamnotageek.com/a/111-p1.php

April 15th, 2005, 1:04 pm

Interesting...I was reading up on it, and apparently, it uses that DLL file, but through the registry. Right now, I still have MS Antispyware blocking it from installing. But it has got to be in the registry somewhere, but I cannot find the registry keys to delete / change.

Please help me with that.


AND NOW WHAT'S EVEN MORE SCARY...

I just noticed that MS Antispyware deleted tons or registry keys. But still, after I reboot, it comes back.

Here's the picture I promised.



Thanks,
Craig

[ATNO/TW]

April 15th, 2005, 1:45 pm

Well, Craig, would love to help you with that if I could, but that takes us back to square one and the fact that we can't actually see your global startup and run entries.

If you can find those and post them, we'd be in business.
Normally they are in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


For whatever reason Hijackthis isn't finding them, or they have been moved elsewhere. If you can find where they are actually at now, we might make some progress.