How to kill Cool Web Search

[Rock55214]

I currently have a pc that has Cool Web Search on it. I have tried everything that i can think of or heard of so far to get rid of it. I have run a number McAfee virus scans with all the latest updates. As well as Spybot search and destroy, Adaware and cwshredder. The adaware can detect the cool web search but cant delete it and the cwshredder scan comes up clean. The cool web is still there and is prohibiting access to the internet. Any help or information would be appreciated.

Thanks

 

[carrr]

Download Hijack This!

http://www.tomcoyote.org/hjt/

Scan your pc and post a log back here.

You're running Windows 2000, if I remember correctly from the other forum, right?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Rock55214]

ok here is the hijack this log from the infected pc and yes it is a win2k machine. Thanks for the help.

Logfile of HijackThis v1.98.2
Scan saved at 3:17:35 PM, on 8/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\sapdoccd.log:tgnqc
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\system32\svchost.exe
C:\LDClient\wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
C:\Program Files\SAP\FrontEnd\SAPgui\sapfewgsrv.exe
C:\WINNT\explorer.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\jamtx.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Credence Systems Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.credenc.com:8090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

http://www.credence.com;*.credence.com;credence.com;<local>

R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "

http://home.credence.com/");

(d:\Program Files\Netscape\Users\balaji_batra\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FE63079E-DA2E-C40F-5367-09720AF611A1} - C:\WINNT\system32\addbf32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [atlmt.exe] C:\WINNT\system32\atlmt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...27c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

[vop]

'About:buster' tool is applicable to browser hijacks that have R1/R0 entries that look like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\buvmr.dll/sp.html#12802

Install and run AboutBuster.
<

http://www.downloads.subratam.org/AboutBuster.zip>

Instructions and further discussion (4 links):

http://groups.google.ca/groups?hl=e...tml#"+fix+r1+OR+r0+"about:buster"&btnG=Search

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[CableInstaller]

You realize you are victim of alternate data streams as well?

C:\WINNT\sapdoccd.log:tgnqc

these are somewhat tricky to detect and remove, involves some third party tools and removal techniques.

Seems this thread died I was waiting to see the outcome or chance to suggest some cleaning methods

 

[diogenes10]

cableinstaller
I doubt it died. I suspect the post was made after carrr was gone for weekend. I dont have the skills for this particular problem. If you have some suggestions go ahead and make them.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[carrr]

Nothing died but my participation.
I've got a bad (depends on your perspective) habit...after I leave work on Friday, I don't touch a pc (unless it's an absolute necessity) until Monday a.m. There are plenty of (more) capable hands to pick up wherever Friday afternoon finds me leaving off.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[MasterRacker]

If you can't get to the Web it's possible your LSP stack was damaged by the CWS removal process. Try the tools mentioned in steps 5 & 6 of this FAQ: faq608-4650


Jeff
The future is already here - it's just not widely distributed yet...

 

[Rock55214]

So carr, with it being Monday and all whats your opinion on my Hijackthis log?

Thanks again for the help

 

[carrr]

If it was my machine, I'd kill (after disabling system restore, of course):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://C:\WINNT\jamtx.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\jamtx.dll/sp.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FE63079E-DA2E-C40F-5367-09720AF611A1} -
C:\WINNT\system32\addbf32.dll

O4 - HKLM\..\Run: [atlmt.exe] C:\WINNT\system32\atlmt.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_file.php?

bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677
f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.c

ab

Reboot.

But, I'd also mention that every post made before the one I'm making now contains valuable info, particularly the tool offered by diogenes10 and the lspfix suggested by MasterRacker.

Let us know how it works out, and which tool(s) hits pay dirt.

Good luck.








Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Rock55214]

Hi guys,

Thanks for all the help. I ran the HJT and deleted the entries that you suggested carr, as well as ran the about buster tool. Which deleted a whole bunch of .Dll's that im pretty sure were made by the CWS. However, i rebooted and ran another HJT scan and this is what came up..

Logfile of HijackThis v1.98.2
Scan saved at 6:20:53 PM, on 8/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\system32\d3jz.exe
C:\WINNT\sapdoccd.log:tgnqc
C:\Documents and Settings\sgrundy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.credence.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Credence Systems Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.credence.com:8090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

http://www.credence.com;*.credence.com;credence.com;<local>

O2 - BHO: (no name) - {74EB288F-86B2-A706-81A2-10397F1EDCEA} - C:\WINNT\ipvd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [d3jz.exe] C:\WINNT\system32\d3jz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

The thing that i am having the trouble with now (and beleave will solve my problems if i can fid a way to kill it) it the d3jz.exe file. However, it cannot be deleted. If i try to delete it with HJT it will just come right right back. In addition when I try to delete it in windows it gives me an access denied message.

Thanks again for all the help and any further information or suggestions would be greatly appreciated.

 

[vop]

Try killing it with 'Process Explorer'(freeware):

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[diogenes10]

See my Aug 28 comment in this thread for hijackthis tutorial
(and killbox and dllcompare if needed).

http://www.tek-tips.com/viewthread.cfm?qid=907925

Try booting up in safe mode.
Look in hijackthis process reviewer (check tutorial for exact description/location in program) for d3jz.exe. Stop it if running.

Fix these:
O2 - BHO: (no name) - {74EB288F-86B2-A706-81A2-10397F1EDCEA} - C:\WINNT\ipvd.dll
O4 - HKLM\..\Run: [d3jz.exe] C:\WINNT\system32\d3jz.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Then delete these:
C:\WINNT\ipvd.dll
C:\WINNT\system32\d3jz.exe

Reboot to normal and see what happens.

If some combination of these steps or killbox/process explorer won't get rid of these two files, run dll compare and hjt this again and post both logs and we'll try to figure out a next step for you.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Rock55214]

Thanks for the help guys. I will post back as soon as i get a chance to try these suggestions out.

 

[Rock55214]

Hey all....Success!!!!

Finaly got that SOB off my users computer. I ended up using both Hijack This and About Buster. I had to run both a few times and pick and choose things to delete and in the end...no more cool web search. IE comes up fine now and it no longer redirects the home page to a search site.

Thanks again to every one for all the help

 

[diogenes10]

Good Work!
Thanks for letting us know.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[CableInstaller]

Would be nice to see a followup HiJackThis log...

I'm not sure if About Buster tool will remove AD Streams yet??

 

[vop]

Did a google search on:

ads removal tool "alternate data stream"

http://www.google.ca/search?hl=en&ie=UTF-8&q=ads+removal+tool+"alternate+data+stream"+&btnG=Search

Also:
ads "removal tool" "alternate data stream"
ads "detection tool" "alternate data stream"

Added aboutbuster variations to the search with no luck.

AdAware SE seems to also have some detection capabilities for ADS.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]