Need help removing Cool Web Search

pearse · 09-24-04, 05:23 PM

I've tried everything, but it just keeps coming back. I ran CWshredder and then hijack this. Below is my log. Can anyone help????

Logfile of HijackThis v1.97.7
Scan saved at 5:15:53 PM, on 9/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Documents and Settings\Jon Pearse\Desktop\Hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://intranet.ppco.com/intranet"); (C:\Program Files\Netscape\Users\jpearse\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn200...rInstaller.exe
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1089119852361
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...655.3795601852
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} (BerbCln Object) - http://www.microsoft.com/security/co.../0/BerbCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ppco.com
O17 - HKLM\Software\..\Telephony: DomainName = ppco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{81397E0C-F292-4557-822D-24AAD18C9324}: NameServer = 192.168.2.36 192.168.2.37
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ppco.com

***YeOldeStonecat*** · 09-24-04, 05:41 PM

CWS has gotten quite brutal to try to remove. My honest input, is backup whatever data and settings you have on your computer, and wipe her clean. Because as is pretty much the case with CWS, you spend gobs of time trying to remove it..only to have it come back on you withing a few days and a few reboots.

Take a look at the root of your C drive...see any odd .EXEs there? Same with C:\Windows\System...probably a whole bunch of randomly named alpha-numeric .EXE files.

If you wish to give it a go...

Emtpy all files in your temp directory, as well as temp internet files (the location of these directories depends on which OS you are using.

Get a few other opinions with different antivirus programs.
AVG free edition
Online free scan from Housecall, available at www.antivirus.com
Note what files they cannot remove, reboot in safe mode, and manually remove
Get the latest Lavasoft AdAware, update it, and run as scan
Get the latest Pepki Spybot Search and Destroy, update it, immunize, and scan

Google toolbar to help stop some of the popups.

Anyways, just my thoughts...to seriously ponder formatting and installing from scratch. A lot of stuff to think about before doing that though...have you ever installed an OS before? Drivers? Some things to look into if you haven't done it before.

**mnosteele52** · 09-24-04, 06:53 PM

YOSC is right, a reformat is best. It is possible to beat it but you must know what you are doing.

If you to try and remove it then follow what YOSC posted, here is a little more detail in what to do:

Please download Ad-aware, SpyBot Search & Destroy and AVG 6.0 FREE and set them all up EXACTLY as I have written HERE. This will offer much deeper scanning than the default settings that will find more spyware/malware. Make sure to uninstall your current antivirus program prior to installing AVG.

* If Ad-aware and SpyBot find multiple infections then I suggest you download, update and scan with Spy Sweeper, there is a FREE 30-day trial and it is an EXCELLENT product.

If after doing ALL of the above and you are still having problems please post a HijackThis log here in this forum for us to look at, make sure you have the latest version - 1.98.2.

gerbera · 09-24-04, 11:08 PM

CWS just had me going in circles for abt 2 months and I seem to finally have rid myself of it, without having to go through any lengthy manual process. Now I am not really that knowledgeable abt computers but I thought I would share what I have done so far.

I have winXP and the programs I used to remve cws are Webroot Spysweeper 3.2 and McAfee VirusScan 9.0.1. The bug I had was identified by spysweeper as CWS_NS3 and CWS_NS3 Hijacker.

At first I was using the free ISP provided version of SpySweeper. That program allowed me to stop the homepage from getting hijacked, but my IE default search page was still getting redirected to "Home Search" and I was still getting "Only the Best" pop-ups that were avoiding my pop-up blocker.

I bought the lastest version of SpySweeper and swept my system. After that Spysweeper was able to keep a new registry entry from being added to my startup programs. Though it would tell me this evry 2-3 mins so i knew that i still had the problem.

I downloaded ServicePack 2 for XP and by chance an automatic update for VirusScan. I ran VirusScan and found 681 infected files that were previously undetected. They were infected with a Trojan identified as BackDoor-BDD. I am assuming that this is one of the mechanisms that is part of CWS_NS3. I deleted as files that were able to be deleted as some were "not found" upon the request for deletion.

I then ran SpySweeper again which once again found CWS_NS3 and CWS_NS3 hijacker and had spysweeper delete the culprit files.

I ran VirusScan once more which found another 124 files infectd with BackDoor-BDD and had them deleted.

That was 6 days ago and since then I have had no homepage hijacks, no weird alternate IE searchpage, no unusal pop-ups and no alerts from Spysweeper nor VirusScan of any suspect activity. Also upon running Spysweeper & VrisScan evry day I have found no traces of CWS_NS3, CWS_NS3 Hijacker nor BackDoor-BDD. And I usually turn my PC on and off about twice a day.

I cant be sure that you'll have the same results, but it worked for me.
(At least for the last week!!)

If my problems reappear I will post a follow up, reporting my failure!

Good Luck!

**Sava700** · 09-25-04, 09:55 AM

isn't there a utility from Cool Web to use to remove it? I've ran into that situation once having a similar program get on the computer and put a extra bar above and all kinds of crap.. had to contact the company that made it from there web site and after a few emails and threats to sue LOL they sent me a removal tool.

**hayc59** · 09-25-04, 10:10 PM

Borrowed from PGPhantom who did a great write up on this canned fix

Variant #39 of CoolWebSearch - IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible

Please following the procedure below exactly as listed:

1 - Close all programs and disable system restore as per these instructions.

2 - Download this zip: Process Viewer. Please unzip it to the desktop. It will not work if you run it from inside the zip. After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat - A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

3 - A notepad window will open with a lot of information in it about running processes etc. Click "Format" and make sure "Word Wrap" is not selected. Click on "Edit" => "Find" and type in "61c00000 61440" (Without the quotation marks) and click on "Find Next". If this particular version of CWS is found, you will get a match similar to: "logignh.dll 61c00000 61440 c:\windows\system32\logignh.dll". The filename will always be different (i.e. loginh.dll) - This is the problem but this will always be constant: 61c00000 61440.

4 - Please download TheKillbox from here: The KillBox. Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following: c:\windows\system32\logignh.dll < = Remember that the dll filname will be different than the one here. Don't click any of the buttons though, instead please click on the "Action menu" and choose "Delete on Reboot". On the next screen, click on the "File" menu and choose "Add File". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

5 - When you're back in windows, please run the latest version of cwshredder available from this link.

6 - Please double click the runme.bat again. This time chose option 7 to clean appinit.

7 - Please double click the runme.bat again. This time chose option 6 for appinit contents. Notepad will open with a log in it. The specific line we are interested in is: "AppInit_DLLs"="". It should be exactly as listed - There should be no .dll file in this line.

8 - Click on this link which will reset your search page, load page etc for IE back to the defaults from Microsoft. If you want a different "Start Page", open Internet Explorer and browse to the page/site that you want. Once it has loaded, click on "Tools" => "Internet Options" and under the "General" tab, click on "Use current".

8 - Reboot and enable system restore as per [URL=http://www.pchell.com/virus/systemrestore.shtml]these instructions

**blebs** · 09-26-04, 07:17 AM

hayc59 I've even had cases where that didn't work either. My problem is working with people that are computer illiterate and unable to format or I'd just have them do that too and save myself alot of nerve racking.

gerbera · 10-01-04, 03:19 AM

WinXP with ServicePack2, latest version of Webroot SpySweeper with all shields active & latest version of McAfee VirusScan were able to easily remove CWS_NS3 & CWS_NS3 Hijacker from my PC. Two sets of alternating sweeps(sweep, scan / sweep, scan) and two weeks later and everything's buzzin' nicely. No probs , no activity and no worries.

**Jstyr** · 10-04-04, 03:55 PM

I was able to get rid of a CWS variant (no idea which variant) using symantec's security response.

Check out this page here http://securityresponse.symantec.com...artpage.g.html

Symantec calls it Trojan.startpage.G. By removing 2 registry entries I was able to get rid of the variant I had. G'luck.