Jump to content


Photo

I can't get rid of CoolWebSearch


  • Please log in to reply
3 replies to this topic

#1 espacio

espacio

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2004 - 10:15 AM

Hi guys,

I would be really happy if there was finally someone able to help me solve the COOLWEBSEARCH problem.

Even though:
- I have been using CWS Shredder, Ad-aware
- I have installed latest SP1a Service pack
I still cannot get rid of CWS :techsupport: . Shredder produces the report that there are 6 files removed and the system is clean. But when I run Explorer back again I get tones of popups and my starting page sets automaticly into:
res://mshp.dll/index.html#37049 or
http://69.31.87.248:...n/index.cgi?c=0

I've read some articles on this forum and I've seen some solution telling to run Reglite, then \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows and "Double click on AppInit_DLLs to open a "Data Editor"". Unfortunately, I cannot find any "AppInit_DLLs" there.

Please have a look at my logfile (generated after using CWS Shredder and running Explorer). Please also notice that this logfile is different from the one generated just after using shredder but before running Explorer, for example there is no: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049.

thanks a lot.

Logfile of HijackThis v1.97.7
Scan saved at 16:47:01, on 2004-06-11
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\CWS\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\msys.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\ipqh.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerP\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: komentator - http://sport.onet.pl/komentator.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8149.2118634259

#2 magichatter06

magichatter06

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 11 June 2004 - 10:19 AM

I think that I am having that same prob...but no one replied to my topic..so I don't know... my homepage will just automatically reset the homepage to something and pop ups will come up and I have ran everything... so I do not know!

#3 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 11 June 2004 - 10:23 AM

get rid of all this crap:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\msys.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\ipqh.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Pawel\Dane aplikacji\msys\msiesh.dll

these can definately go:

O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerP\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerP\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

more improtantly the first one is probably the key to the problem: both can go

O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: komentator - http://sport.onet.pl/komentator.cab

look at my signature to download adaware and spybot and spyware blaster

hope this helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#4 espacio

espacio

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2004 - 12:53 PM

Thanks a lot for your help. No more CWS on my comp!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button