Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to kill Cool Web Search

Status
Not open for further replies.
Rock55214

Rock55214

Technical User
Aug 24, 2004
13
US
I currently have a pc that has Cool Web Search on it. I have tried everything that i can think of or heard of so far to get rid of it. I have run a number McAfee virus scans with all the latest updates. As well as Spybot search and destroy, Adaware and cwshredder. The adaware can detect the cool web search but cant delete it and the cwshredder scan comes up clean. The cool web is still there and is prohibiting access to the internet. Any help or information would be appreciated.

Thanks
 
Sort by date Sort by votes
Download Hijack This!

Scan your pc and post a log back here.

You're running Windows 2000, if I remember correctly from the other forum, right?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
ok here is the hijack this log from the infected pc and yes it is a win2k machine. Thanks for the help.

Logfile of HijackThis v1.98.2
Scan saved at 3:17:35 PM, on 8/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\sapdoccd.log:tgnqc
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\system32\svchost.exe
C:\LDClient\wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
C:\Program Files\SAP\FrontEnd\SAPgui\sapfewgsrv.exe
C:\WINNT\explorer.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\jamtx.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Credence Systems Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.credenc.com:8090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", " (d:\Program Files\Netscape\Users\balaji_batra\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FE63079E-DA2E-C40F-5367-09720AF611A1} - C:\WINNT\system32\addbf32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [atlmt.exe] C:\WINNT\system32\atlmt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
 
Upvote 0 Downvote
'About:buster' tool is applicable to browser hijacks that have R1/R0 entries that look like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\buvmr.dll/sp.html#12802

Install and run AboutBuster.
<

Instructions and further discussion (4 links):


Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]
 
Upvote 0 Downvote
You realize you are victim of alternate data streams as well?

C:\WINNT\sapdoccd.log:tgnqc

these are somewhat tricky to detect and remove, involves some third party tools and removal techniques.

Seems this thread died :( I was waiting to see the outcome or chance to suggest some cleaning methods
 
Upvote 0 Downvote
cableinstaller
I doubt it died. I suspect the post was made after carrr was gone for weekend. I dont have the skills for this particular problem. If you have some suggestions go ahead and make them.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Nothing died but my participation.
I've got a bad (depends on your perspective) habit...after I leave work on Friday, I don't touch a pc (unless it's an absolute necessity) until Monday a.m. There are plenty of (more) capable hands to pick up wherever Friday afternoon finds me leaving off.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
If you can't get to the Web it's possible your LSP stack was damaged by the CWS removal process. Try the tools mentioned in steps 5 & 6 of this FAQ: faq608-4650


Jeff
The future is already here - it's just not widely distributed yet...
 
Upvote 0 Downvote
So carr, with it being Monday and all :) whats your opinion on my Hijackthis log?

Thanks again for the help





 
Upvote 0 Downvote
If it was my machine, I'd kill (after disabling system restore, of course):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://C:\WINNT\jamtx.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\jamtx.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\jamtx.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://C:\WINNT\jamtx.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\jamtx.dll/sp.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FE63079E-DA2E-C40F-5367-09720AF611A1} -
C:\WINNT\system32\addbf32.dll

O4 - HKLM\..\Run: [atlmt.exe] C:\WINNT\system32\atlmt.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677
f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
ab

Reboot.

But, I'd also mention that every post made before the one I'm making now contains valuable info, particularly the tool offered by diogenes10 and the lspfix suggested by MasterRacker.

Let us know how it works out, and which tool(s) hits pay dirt.

Good luck.








Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Hi guys,

Thanks for all the help. I ran the HJT and deleted the entries that you suggested carr, as well as ran the about buster tool. Which deleted a whole bunch of .Dll's that im pretty sure were made by the CWS. However, i rebooted and ran another HJT scan and this is what came up..

Logfile of HijackThis v1.98.2
Scan saved at 6:20:53 PM, on 8/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\system32\d3jz.exe
C:\WINNT\sapdoccd.log:tgnqc
C:\Documents and Settings\sgrundy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Credence Systems Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.credence.com:8090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = O2 - BHO: (no name) - {74EB288F-86B2-A706-81A2-10397F1EDCEA} - C:\WINNT\ipvd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [d3jz.exe] C:\WINNT\system32\d3jz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csc-nt.credence.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

The thing that i am having the trouble with now (and beleave will solve my problems if i can fid a way to kill it) it the d3jz.exe file. However, it cannot be deleted. If i try to delete it with HJT it will just come right right back. In addition when I try to delete it in windows it gives me an access denied message.

Thanks again for all the help and any further information or suggestions would be greatly appreciated.
 
Upvote 0 Downvote
See my Aug 28 comment in this thread for hijackthis tutorial
(and killbox and dllcompare if needed).

Try booting up in safe mode.
Look in hijackthis process reviewer (check tutorial for exact description/location in program) for d3jz.exe. Stop it if running.

Fix these:
O2 - BHO: (no name) - {74EB288F-86B2-A706-81A2-10397F1EDCEA} - C:\WINNT\ipvd.dll
O4 - HKLM\..\Run: [d3jz.exe] C:\WINNT\system32\d3jz.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Then delete these:
C:\WINNT\ipvd.dll
C:\WINNT\system32\d3jz.exe

Reboot to normal and see what happens.

If some combination of these steps or killbox/process explorer won't get rid of these two files, run dll compare and hjt this again and post both logs and we'll try to figure out a next step for you.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Thanks for the help guys. I will post back as soon as i get a chance to try these suggestions out.

 
Upvote 0 Downvote
Hey all....Success!!!!

Finaly got that SOB off my users computer. I ended up using both Hijack This and About Buster. I had to run both a few times and pick and choose things to delete and in the end...no more cool web search. IE comes up fine now and it no longer redirects the home page to a search site.

Thanks again to every one for all the help :)

 
Upvote 0 Downvote
Good Work!
Thanks for letting us know.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Would be nice to see a followup HiJackThis log...

I'm not sure if About Buster tool will remove AD Streams yet??
 
Upvote 0 Downvote
Did a google search on:

ads removal tool "alternate data stream"


Also:
ads "removal tool" "alternate data stream"
ads "detection tool" "alternate data stream"

Added aboutbuster variations to the search with no luck.

AdAware SE seems to also have some detection capabilities for ADS.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
71
riobogmedacaliaires
riobogmedacaliaires
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
145
DrB0b
DrB0b
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
160
goombawaho
goombawaho
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
100
MakeItSo
MakeItSo
LonnieJohnson
  • Locked
  • Question
Apps/Tools for seeing potential threats
Replies
1
Views
82
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top