coolwebsearch problem

[RavishingRocket]

i have adaware installed but not an antivirus yet. i have been taken over by cws. i have just did a format and fresh install of xp so i havent got to reinstall all my apps yet. i use the adaware to clean it but when i open up internet explorer, cws comes rite back. i tried installing avg free edition but when i click on it it just deletes ifself. i also have tried cws shredder. what else am i to do here? thanks

 

[overclocker]

RavishingRocket

I had the same thing happen to me. Try this program: miniremoval_coolwebsearch_smartkiller, you can get it at http://www.fixyourwindows.com/windowsxpsolutions.htm and click on "miniremoval_coolwebsearch_smartkiller"

 

[lazerman]

Get HiJackThis here- http://www.majorgeeks.com/downloadget.php?id=3155&file=11&evp=3304750663b552982a8baee6434cfc13

Do a scan with it and post the results here (do not check anything and have HiJackThis fix it!). I will tell you what to check and have hijackthis fix.

 

[RavishingRocket]

i did the online virus scan, it found nothing. i tried the mini removal smartkiller thing and it said nothing found. i did a scan with spy sweeper and it countinuosly finds CWS_Hputi. when scanning with adaware it finds 36 traces of CWS in regkeys. so i clean that out and im fine but when i open up explorer then scan again, all 36 traces are rite back.

Logfile of HijackThis v1.98.2
Scan saved at 10:07:26 AM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\FreeRAM XP Pro 1.40.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rocket\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1032
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\02H6MO~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [FreeRAM XP] "C:\WINDOWS\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: YahooPOPs.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096747993829
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - AppInit_DLLs: u7sjf5gymehm.dll

 

[lazerman]

Okay give me a few minutes to sort it out.

 

[lazerman]

Here is your first problem-

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\02H6MO~1.DLL

That is coolwebsearch parasite. There may be more stuff so just keep waiting, in the mean time check that and have hijackthis fix it.

 

[RavishingRocket]

i have checked and fixed that BHO, but when i open explorer again, that same thing comes back in the scan

 

[lazerman]

I'm not finished yet. Did you by chance add greg-search.com to your trusted sites zone? If not have it fix this:

O15 - Trusted Zone: *.greg-search.com

 

[lazerman]

Hav it fix this as well:

O20 - AppInit_DLLs: u7sjf5gymehm.dll

If your still getting the coolwebsearch bar then download this and try it- http://www.computercops.biz/downloads-file-349.html

First go to the update, then fix.

 

[RavishingRocket]

i have already tried the cws shredder. it says not present on everything