&#@*ing Cool Web Search!! !! !

Post Reply New Topic

3 months ago, I made a mistake of downloading cracks for Warcraft 3, and running the .exe file that came with it. Minutes after the ads and trojans started &#@*ing up the computer, I pulled the plug on the modem. (I had the computer on the internet at the time because my grandmother was fond of drinking plonk next to her laptop. The computer repair guy said to get better wine ) I have spent 3 months (or to be more precise, the week immediately following the first infection was where most of the work took place) trying to get rid of the adware, spyware, trojans and so on. Most have fallen, thanks to a combination of persistent usage of Norton Antivirus, Spybot S&D and AdAware.

However, there remains a bane on my computer, and now that I have connected it back to the internet for the first time in 3 months, it is becoming a nuisance.

(I have used other machines to use the internet, and it was on my grandmother's new computer that I found this site)

This beast's name is Cool Web Search.

I have tried, over and over again, to eliminate it, even before reconnection. However, it's one of those variants that create a dll file every time it's deleted, and hides in the winlogon process. I know enough about computers to do some things, but this little bastard has got me parrying desperately.

I have tried CWShredder and Look2Me destroyers, but it hasn't worked, although I'm sure it is Look2Me. CWShredder hasn't been updated for months anyway.

Symptoms:

1. During AdAware's scanning process, an error occurs in a "Run DLL as App" program or process. Shortly thereafter, Windows Explorer temporarily closes from another error.

2. At the end of each AdAware scan, it complains that it cannot remogve such-and-such files until the next reboot. For some strange reason, "My Documents" opens.

3. Windows Firewall is disabled, as is the means to reactivating it. Thankfully, I've got ZoneAlarm in place as a substitute.

Anyone here who is in the know about this annoying little piece of $#!t? Can you help me remove the sod?

If the person who gets it is inclined towards video games music, I can point them towards a few good sites in return.

If you have identified the active files and the dlls it creates in the logon process then I have something that might help.

Get a program called "moveonboot". Then tell it to delete the files. It will do this next time you logon, and since it does it so early in the logon process it seems to be able to get them before the files can protect or replicate themselves.

If that doesn't work, or you haven't been able to identify all the files that need killing, then I'd use my universal anti-virus backup plan; transfer my user data to a different hard-drive and wipe the entire operating system. Lets see the virus survive that!

maybe you can find its processes in task manager, you can try to do lookup of them (one at a time) using www.processlibrary.com and also check the system startup list too to get to that go to start then run then type in MSCONFIG and click startup tab. remove the things you dont need or use ( be careful in this area)

to see if you have a trojan, to go start click on run type in win.ini in the feild, this will show a list in notepad format see if thers a load process if thers anything after it, it means you have a trojan horse.

another way to prevent problems is be careful with your surfing habits (not saying you look at dirty things)

^^^^^^^^^^^^^^^ above is for windows^^^^^^^^^^^^^^^^^^^^

not sure about linux or macintosh

i hope above was helpful

I actually have "HijackThis" as well? Anyone here know how to interpret a log from this?

That was going to be my next suggestion. When looking at the log I generally delete any program I do not recognise. This is likely to kill the virus you are after, but may well get some things that aren't harmful, since HijackThis just finds code that could be malignant.

But if you are not the only user of the computer or you're not willing to take that risk (probably wise), then you'll need someone more capable of interpretting the log than me.

paste your log at hijackthis.de

Well, first, just in case.

Logfile of HijackThis v1.99.1
Scan saved at 6:30:27 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Campus Computers Utilities\HijackThis 1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A611D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9416868390
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\d6j0lg1m16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'm sure that the bolded stuff is what I'm looking for. I'll paste it on the HijackThis board...

Hey, does it require registration?

sounds all clean there i dont see any trojans, for windows to be operable state it only needs 7 major processes. i did a search for your processes on processlibrary.com and didnt see any suspicious activity maybe do you have something in your spyware scanner and antiviruse's exclude list or security level set too low in them?

have you also tryed doing scandisk or defrag or disk cleanup?? sound to me also maybe something in registry is goofed with, do you go into registry to tweak your system?? ( i myself avoid this area at all costs) one wrong click system can screw up permanently!

feel free to pm me

AdAware (with the latest definitions) detects the Look2Me, although nothing can be removed by CWShredder or any other CWS remover or Look2Me remover I have tried.

I actually defragged 2 days ago.

And I'm still getting &#@*ing pop-up ads. I've tried following the registry removal procedures on various websites, although there are no matching registry values.

I've got Spybot S&D to immunise the computer, but I'm still worried about security here. If the pop-up ads can still get through the firewall that I've set up, what about any other info???

could be from a trojan that is stealth, there is a program called tremover it scans and removes trojan horses,it is found at www.simplysup.com i think it is the trial version (30 days)

good luck

It doesn't work.

Erase and reinstall Windows. A clean fresh new installation. Then you can be sure that all the crap and damage is gone. Yes, it is a pain in the arse.

If you are using Windows XP, note that in the Control Panel you can create a Limited Access user account. Use this limited access account all the time, except when you need to install new programs. To install new programs, you must temporarily login using the administrator account. While you are logged in as the limited access user, spyware cannot install itself. Does not help if the spyware is already installed.

OH YEAAHHHH!! !!

I have just gotten rid of it, thanks to (I think) an update to ZoneAlarm. No more pop-ups come up, my Windows Firewall is no longer disabled, and AdAware only shows tracking cookies. Ohhh yeeaaahhh!

great im glad it wasnt something really fatel to computer .in future please make sure you are up to date with definitions and protection. be careful in all you do online.

That's good news Quatermass now about those tracking cookies in IE or Firefox set cookies to Allow session cookies,Allow cookies for the orinating website only, and Ask for each cookie yes you will have to click No on some mostly adcookies like doubleclick and other but in about a week you will not longer have to click many they will be blocked. And the other ones you allow for sites you trust or need alot like wrongplanet the rest can go away enjoy