Jump to content


Help with coolwebsearch!

  • Please log in to reply
2 replies to this topic

#1 Nsontag



  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 07:21 PM


ok, So i have been running ad-aware for a while now, and it recently has come up with this damn cool web search. I have just spent at least 6 hours trying to rid my system of it, but to absolutely no avail.

I have tried ad-aware, Spybot S&D, Spy sweeper, and none of these have worked. I also downloaded the cool web search shredder, but it the two servers it tries to update from appear not to be responding. Further more, it doesn't even detect this version of cool web search on my system, even though ad-aware picks it up. Ad-aware can get rid of it untill the next reboot, but then it comes back with a vengance. I have even tried to manually track down and delete it's components in the system folders and the registry, but to no avail. It seems to have at least 7 different registry keys that are being spontaneously generated from somewhere, and the same is true of system files.

Suspicious file names include the following


the first of these has just been added to my startup list and was detected by spy sweeper, but as soon as i delete it, it is instantly regenerated. if anyone has ANY ideas, please help me!!

PS. here is my log file

StartupList report, 02/07/2004, 4:22:59 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Nolan\My Documents\Maintenence stuff\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Nolan\My Documents\Maintenence stuff\HijackThis.exe
C:\Documents and Settings\Nolan\My Documents\Maintenence stuff\StartupList.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
AceGain LiveUpdate = C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
Camera Detector = C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
apirz.exe = C:\WINDOWS\apirz.exe
Ad-aware = "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\winft32.dll - {278A4561-F3AF-BEC0-0916-B64763DD408A}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll


#2 NsaneRAZ



  • Full Member
  • Pip
  • 7 posts

Posted 02 July 2004 - 08:04 PM

alright, i have been fighting with this thing since 6-16-04 and i finally killed it 2day.

kill all files as of and after the date of infection(unless u r certain the files r from new virus/trojan scanners u jus downloaded). i look at it this way, if ur computer ran b4 that date, then why wud these files matter. yeah so delete all files as of and after date of infection. wherE? go to C\windows and c\windows\system

look for .dats, .dlls, etc with random names, especially ones witha 32 on the end.
(too find the date of the items, right click the folder and hit sort by date...and were in windows and windows\system folders)
blah blah theres lots of information on this. anyway

"Suspicious file names include the following


if u got them as of or after date of infection...delete them or else your effort 2 kill the virus is probably worthless.

my advice is to do all this in safemode (google it if u duno..or look at forums)\

kill all tht, run spybot, and adware(with latest reference file), fix all bad things found in hijack this(again all this can be found on forums here)

delete all ur temp files, history etc. if u really wana make sure...start up in ms dos and delete ur cookies, temp, history thru that

theres so much shit its hard 2 xplain it all but theres dif degrees of this virus.

oh yea get about blank buster, even if ur not sure what tht is. itll help kill of the dll virus thing.

also, go to ur sysytem folder, and kill off VSCONFIG.XML , especially if its 1MB+...u gotta kill tht in DOS

heres the command(each line entered separately)

CD windows
CD windows\system
del vsconfig.xml
-it shud say deleted or ull see sumthn happne atleast..and then type CD windows
and then WIN to boot into windows.

jus run all the programs mentioned on this forum, fix all ur registry files(find in forum the way 2 do this), delete all files after date of infection, and ull eventually kill this menace

#3 Freebird


    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 02 July 2004 - 08:36 PM

Nsontag, Hi thanks for the info.

Whilst everybody will learn from the information that you have provided. Can you not use 'net' speak. ie b4, "u r" etc. Many of the people who visit this board are not native english speakers, and many are not conversant with the "slang" Net contractions that you used.

Please, say anything you need to, but use whole words, not contractions of words. That way, people will know exactly what you mean.

Not a criticisim, but people need to fully understand the information you might give.

We know the speed of light......but, whats the speed of dark? Steven Wright - Scientist and Comedian

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button