Results 1 to 10 of 10

Thread: Need help removing Cool Web Search

  1. #1
    pearse
    Guest

    Need help removing Cool Web Search

    I've tried everything, but it just keeps coming back. I ran CWshredder and then hijack this. Below is my log. Can anyone help????

    Logfile of HijackThis v1.97.7
    Scan saved at 5:15:53 PM, on 9/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\webshots.scr
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Documents and Settings\Jon Pearse\Desktop\Hijack this\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://intranet.ppco.com/intranet"); (C:\Program Files\Netscape\Users\jpearse\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn200...rInstaller.exe
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1089119852361
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...655.3795601852
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} (BerbCln Object) - http://www.microsoft.com/security/co.../0/BerbCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ppco.com
    O17 - HKLM\Software\..\Telephony: DomainName = ppco.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81397E0C-F292-4557-822D-24AAD18C9324}: NameServer = 192.168.2.36 192.168.2.37
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ppco.com

  2. #2
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,970
    CWS has gotten quite brutal to try to remove. My honest input, is backup whatever data and settings you have on your computer, and wipe her clean. Because as is pretty much the case with CWS, you spend gobs of time trying to remove it..only to have it come back on you withing a few days and a few reboots.

    Take a look at the root of your C drive...see any odd .EXEs there? Same with C:\Windows\System...probably a whole bunch of randomly named alpha-numeric .EXE files.

    If you wish to give it a go...

    Emtpy all files in your temp directory, as well as temp internet files (the location of these directories depends on which OS you are using.

    Get a few other opinions with different antivirus programs.
    AVG free edition
    Online free scan from Housecall, available at www.antivirus.com
    Note what files they cannot remove, reboot in safe mode, and manually remove
    Get the latest Lavasoft AdAware, update it, and run as scan
    Get the latest Pepki Spybot Search and Destroy, update it, immunize, and scan

    Google toolbar to help stop some of the popups.

    Anyways, just my thoughts...to seriously ponder formatting and installing from scratch. A lot of stuff to think about before doing that though...have you ever installed an OS before? Drivers? Some things to look into if you haven't done it before.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  3. #3
    Dr Tweak mnosteele52's Avatar
    Join Date
    Jul 2001
    Location
    Chesapeake, VA
    Posts
    11,912
    YOSC is right, a reformat is best. It is possible to beat it but you must know what you are doing.

    If you to try and remove it then follow what YOSC posted, here is a little more detail in what to do:

    Please download Ad-aware, SpyBot Search & Destroy and AVG 6.0 FREE and set them all up EXACTLY as I have written HERE. This will offer much deeper scanning than the default settings that will find more spyware/malware. Make sure to uninstall your current antivirus program prior to installing AVG.

    * If Ad-aware and SpyBot find multiple infections then I suggest you download, update and scan with Spy Sweeper, there is a FREE 30-day trial and it is an EXCELLENT product.

    If after doing ALL of the above and you are still having problems please post a HijackThis log here in this forum for us to look at, make sure you have the latest version - 1.98.2.


  4. #4
    gerbera
    Guest
    CWS just had me going in circles for abt 2 months and I seem to finally have rid myself of it, without having to go through any lengthy manual process. Now I am not really that knowledgeable abt computers but I thought I would share what I have done so far.

    I have winXP and the programs I used to remve cws are Webroot Spysweeper 3.2 and McAfee VirusScan 9.0.1. The bug I had was identified by spysweeper as CWS_NS3 and CWS_NS3 Hijacker.

    At first I was using the free ISP provided version of SpySweeper. That program allowed me to stop the homepage from getting hijacked, but my IE default search page was still getting redirected to "Home Search" and I was still getting "Only the Best" pop-ups that were avoiding my pop-up blocker.

    I bought the lastest version of SpySweeper and swept my system. After that Spysweeper was able to keep a new registry entry from being added to my startup programs. Though it would tell me this evry 2-3 mins so i knew that i still had the problem.

    I downloaded ServicePack 2 for XP and by chance an automatic update for VirusScan. I ran VirusScan and found 681 infected files that were previously undetected. They were infected with a Trojan identified as BackDoor-BDD. I am assuming that this is one of the mechanisms that is part of CWS_NS3. I deleted as files that were able to be deleted as some were "not found" upon the request for deletion.

    I then ran SpySweeper again which once again found CWS_NS3 and CWS_NS3 hijacker and had spysweeper delete the culprit files.

    I ran VirusScan once more which found another 124 files infectd with BackDoor-BDD and had them deleted.

    That was 6 days ago and since then I have had no homepage hijacks, no weird alternate IE searchpage, no unusal pop-ups and no alerts from Spysweeper nor VirusScan of any suspect activity. Also upon running Spysweeper & VrisScan evry day I have found no traces of CWS_NS3, CWS_NS3 Hijacker nor BackDoor-BDD. And I usually turn my PC on and off about twice a day.

    I cant be sure that you'll have the same results, but it worked for me.
    (At least for the last week!!)

    If my problems reappear I will post a follow up, reporting my failure!

    Good Luck!

  5. #5
    Ohh Hell yeah.. Sava700's Avatar
    Join Date
    Feb 2002
    Location
    Somewhere
    Posts
    24,051
    isn't there a utility from Cool Web to use to remove it? I've ran into that situation once having a similar program get on the computer and put a extra bar above and all kinds of crap.. had to contact the company that made it from there web site and after a few emails and threats to sue LOL they sent me a removal tool.

  6. #6
    Vood Child hayc59's Avatar
    Join Date
    Jul 2001
    Location
    LSD melts in your mind, not in your hand.
    Posts
    2,355
    Borrowed from PGPhantom who did a great write up on this canned fix

    Variant #39 of CoolWebSearch - IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible

    Please following the procedure below exactly as listed:

    1 - Close all programs and disable system restore as per these instructions.

    2 - Download this zip: Process Viewer. Please unzip it to the desktop. It will not work if you run it from inside the zip. After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat - A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

    3 - A notepad window will open with a lot of information in it about running processes etc. Click "Format" and make sure "Word Wrap" is not selected. Click on "Edit" => "Find" and type in "61c00000 61440" (Without the quotation marks) and click on "Find Next". If this particular version of CWS is found, you will get a match similar to: "logignh.dll 61c00000 61440 c:\windows\system32\logignh.dll". The filename will always be different (i.e. loginh.dll) - This is the problem but this will always be constant: 61c00000 61440.

    4 - Please download TheKillbox from here: The KillBox. Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following: c:\windows\system32\logignh.dll < = Remember that the dll filname will be different than the one here. Don't click any of the buttons though, instead please click on the "Action menu" and choose "Delete on Reboot". On the next screen, click on the "File" menu and choose "Add File". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    5 - When you're back in windows, please run the latest version of cwshredder available from this link.

    6 - Please double click the runme.bat again. This time chose option 7 to clean appinit.

    7 - Please double click the runme.bat again. This time chose option 6 for appinit contents. Notepad will open with a log in it. The specific line we are interested in is: "AppInit_DLLs"="". It should be exactly as listed - There should be no .dll file in this line.

    8 - Click on this link which will reset your search page, load page etc for IE back to the defaults from Microsoft. If you want a different "Start Page", open Internet Explorer and browse to the page/site that you want. Once it has loaded, click on "Tools" => "Internet Options" and under the "General" tab, click on "Use current".

    8 - Reboot and enable system restore as per [URL=http://www.pchell.com/virus/systemrestore.shtml]these instructions

    r u xprincD

  7. #7
    R.I.P. 2013-11-22 blebs's Avatar
    Join Date
    Dec 2000
    Location
    North Canton, Ohio
    Posts
    12,819
    hayc59 I've even had cases where that didn't work either. My problem is working with people that are computer illiterate and unable to format or I'd just have them do that too and save myself alot of nerve racking.

  8. #8
    gerbera
    Guest

    It Worked

    WinXP with ServicePack2, latest version of Webroot SpySweeper with all shields active & latest version of McAfee VirusScan were able to easily remove CWS_NS3 & CWS_NS3 Hijacker from my PC. Two sets of alternating sweeps(sweep, scan / sweep, scan) and two weeks later and everything's buzzin' nicely. No probs , no activity and no worries.

  9. #9
    SG Enthusiast Jstyr's Avatar
    Join Date
    Nov 2001
    Location
    The Swamp
    Posts
    2,822
    I was able to get rid of a CWS variant (no idea which variant) using symantec's security response.

    Check out this page here http://securityresponse.symantec.com...artpage.g.html

    Symantec calls it Trojan.startpage.G. By removing 2 registry entries I was able to get rid of the variant I had. G'luck.
    spec-
    Rig #1- AMD XP 2400+, A-Bit KR7A/266, Gainward Geforce3 ti200 64mb Golden Sample, 1GB Crucial DDR, 40 gig WD HDD (7200), XP PRO, Vantec Stealth 420 PSU, Soundblaster Live 5.1
    Rig #2- P4 2.4c, Abit IC7 800 FSB /w onboard sound, Radeon 9700 Pro 128, 1 Gig Corsair 3200 XMS, Dual (SATA) 36GB WD Raptor's in RAID 0, XP Pro, Antec Truepower 400
    Rig #3-AMD Barton 2500+, Albatron KX600 (via), 1 gig Corsair 3200, Radeon 9600 Pro 128, Seagate 80 gig HD, Antec Truepower 400

  10. #10
    Flaxen
    Guest
    There is a home search assistant removal guide here:

    How to remove Home Search Assistant , CWS_NS3

    Hope it helps some of you

Similar Threads

  1. Web Hosting for Speedguide Members
    By Rosco in forum Marketplace - Buy/Sell/Trade/Hot Deals
    Replies: 2
    Last Post: 05-08-02, 01:13 PM
  2. Search Engine Hijacked !!
    By Sandovaal in forum Network Security
    Replies: 4
    Last Post: 07-03-01, 02:24 AM
  3. cool web intro page
    By Easto in forum General Discussion Board
    Replies: 3
    Last Post: 05-09-01, 11:21 PM
  4. Replies: 9
    Last Post: 04-07-01, 12:44 AM
  5. Best deep web search
    By WhoNut in forum General Discussion Board
    Replies: 3
    Last Post: 01-18-01, 06:22 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •