Jump to content


Malware Removal

  • Please log in to reply
5 replies to this topic

#1 Corwin



  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2004 - 02:46 PM

I have followed the directions in this forum for removing the Cool Web Search Virus. This includes running the most recent versions of Spybot Search 1.208, Ad-Aware, CWS shredder 1.59, and AboutBuster 1.31. However, my computer still has the virus. Is there someone out there who knows how to get rid of my version of this pest? :scratchhead:

#2 discogail


    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 25 July 2004 - 05:43 PM

Show us.........
download HijackThis from
to a folder of your choice......doubleclick to open."Scan"...then "Save Log"...when it opens in notepad.......copy (edit..select all..copy) & paste (CTRL-V) the log into your next reply.......

#3 Corwin



  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2004 - 07:23 PM

Below is the Hijack log you requested. The R0 and R1 listings are clearly malware. I checked the other Hijack listings by clicking on the process database links I found on this forum and searching for the listings in the databases. As far as I could tell, the other listings are not malware but maybe I missed one.

The instructions I read on this forum for using AboutBuster.exe stated to delete unknown O2 and O4 Hijack listings before running AboutBuster. I did that (I even tried deleting all of them) and tried the alternate suggestion of running AboutBuster with the computer in Safe mode. However, the virus persists.

I have noticed that Hijack can eliminate the malware listings if all Internet windows are closed (sometimes it takes more than one Hijack scan and delete cycle to accomplish this). However, the malware reappears in a Hijack scan after I start Internet Explorer, even when the computer is not connected to the Internet.

Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 5:22:10 PM, on 7/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7871.6020949074
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion...global/msc3.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...ymail/ymmapi.dl

Edited by Corwin, 25 July 2004 - 07:32 PM.

#4 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 04 September 2004 - 05:10 PM

Sorry for the delay, if you still have problems post a fresh log please

#5 Corwin



  • Full Member
  • Pip
  • 6 posts

Posted 07 September 2004 - 10:02 PM

Problem solved, but thanks for inquiring. I searched the forums for someone that had the same version of the CWS virus. The fix-it instructions that person received were not directly applicable to my computer, but they enabled me to figure out how to get rid of the virus on my computer.

Is anyone going to take over for Merlin and periodically update CWS Shredder? AboutBuster 1.31 and CWS Shredder 1.59 could not eliminate this version of the CWS virus.

Edited by Corwin, 07 September 2004 - 10:03 PM.

#6 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 08 September 2004 - 10:39 AM

Glad you could solve your problem
About Buster 3.0 has been released.
Im not sure about CWshredder.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Good luck :D

Edited by mmxx66, 08 September 2004 - 10:40 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button