Windows XP Pro
My broser keeps getting hijacked by CWS. CWShredder says its CWS.HiddenDLL and it removes it, or so it says. Only to come back a efw reboots later.
When doing HijackThis without the CWShredder program, it finds a few problematic entries...
it finds that two of the IE webpages are set to CWS standard page:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html
Then it finds:
O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll
And:
O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.
And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.
Now...
If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns. If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.
After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder. But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).
I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.
I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location. But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.
I used RegistrarLite and it said the key size was 0, that nothing was there.
So I'm clueless. I have no idea how to remove this thing.
Anyone have any ideas?
Full Version: CoolWebSearch wont go away
Before running CWShredder, are you turning off system restore? Also try MS anti-spyware. I have found it pretty good in removing CWS.
QUOTE(Jaded @ Feb 12 2005, 02:31)
Before running CWShredder, are you turning off system restore? Also try MS anti-spyware. I have found it pretty good in removing CWS.
[right][snapback]585456827[/snapback][/right]
[right][snapback]585456827[/snapback][/right]
ive had system restore off since day 1.
MS Antispyware doesnt find anything to tell you the truth. Excuse me, I'm using GIANT Antispyware, most recent version (1.0.301 or something), which is the last version before it became MS Antispyware. It finds nothing.
Like the man said, move up to the real deal...
Hmm. This does look like something I have seen before. It may be a very nasty variant of CWS, but I'm not 100% sure at this point.
See my post here from a few weeks ago. It's long and detailed, but make sure you read all of it carefully and see if it will work for you.
If I remember correctly, your homepage in Internet Explorer is most likely hijacked and is set to about:blank. When this variant of CWS isn't on your computer, about:blank is supposed to show a blank white page. Since the CWS is on your computer, it likely shows some search engine-like page.
See my post here from a few weeks ago. It's long and detailed, but make sure you read all of it carefully and see if it will work for you.
If I remember correctly, your homepage in Internet Explorer is most likely hijacked and is set to about:blank. When this variant of CWS isn't on your computer, about:blank is supposed to show a blank white page. Since the CWS is on your computer, it likely shows some search engine-like page.
There is a new version of cwsshredder somewhere. Get some antispyware soft ( ad-aware, spybot, spywareguard, spywareblaster and YES Microsoft antispyware ) clean your sys and wait a day. Do the same if CWS come back. You can beat spyware !!!
OK...
marsden: GIANT is the same as Microsoft. it uses the same engine and the same antispyware definitions. It doesnt matter which u use. In fact GIANT is a bit better since it comes with some built in code to prevent certain activeX hijacks, something which Microsoft removed and hopefully will add at a later time (it was called System Innoculation)...GIANT tells current users not to upgrade, rather to let their current subscription to run its length.
Hawkeye: yeah that thread, the one i had replied in. if you look in my original post in THIS thread, i had said there was nothing showing on App Init DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs...that is the location, i checked there. That was the first thing i did actually...i went and read your post when i first got the infection.
buzz99: CWShredder 2.13. As i said in my original post it finds CWS.HiddenDLL. It says it removes it, but it keeps coming back. I have spyware blaster, but that isnt really a spyware remover, rather something that secures your computer to protect against further infection. I dont need or want AdAware or SpyBot. And as i said Microsoft = GIANT...its the exact same product. Ive just waited a day and it came back after cleaning.
heres the only update i have...
I was deleting the file c:\documents and settings\<user>\local settings\temp\se.dll....which it was first running. But after i deleted that it would put itself in c:\windows\temp, same dll, and initializing it there, which i didnt notice until after i made the post. I thought deleting it would fix it, but it didnt.
marsden: GIANT is the same as Microsoft. it uses the same engine and the same antispyware definitions. It doesnt matter which u use. In fact GIANT is a bit better since it comes with some built in code to prevent certain activeX hijacks, something which Microsoft removed and hopefully will add at a later time (it was called System Innoculation)...GIANT tells current users not to upgrade, rather to let their current subscription to run its length.
Hawkeye: yeah that thread, the one i had replied in. if you look in my original post in THIS thread, i had said there was nothing showing on App Init DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs...that is the location, i checked there. That was the first thing i did actually...i went and read your post when i first got the infection.
buzz99: CWShredder 2.13. As i said in my original post it finds CWS.HiddenDLL. It says it removes it, but it keeps coming back. I have spyware blaster, but that isnt really a spyware remover, rather something that secures your computer to protect against further infection. I dont need or want AdAware or SpyBot. And as i said Microsoft = GIANT...its the exact same product. Ive just waited a day and it came back after cleaning.
heres the only update i have...
I was deleting the file c:\documents and settings\<user>\local settings\temp\se.dll....which it was first running. But after i deleted that it would put itself in c:\windows\temp, same dll, and initializing it there, which i didnt notice until after i made the post. I thought deleting it would fix it, but it didnt.
are you closing all windows (IE and explorer) when you run CWShredder? Also, it would not hurt to try ad-aware and spybot (both detect coolwebsearch as well); you can uninstall them if they don't remove it.
you should try using a browser like firefox. unless you have to surf websites that use activex, and other microsoft unique features, firefox is a much more secure product.
QUOTE(ghostwind @ Feb 13 2005, 00:18)
you should try using a browser like firefox. unless you have to surf websites that use activex, and other microsoft unique features, firefox is a much more secure product.
[right][snapback]585461830[/snapback][/right]
[right][snapback]585461830[/snapback][/right]
thanks but no thanks.
As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion. Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice. Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).
As fas as the guy who said about closing IE and such. yeah IE is closed when i run it.
I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?
if yes, i'll let you know my results after the runs.
ok...now this time Kaspersky, when opening Internet Explorer and getting the about:blank page, says that se.dll is infected with:
Trojan.Win32.startpage.gn
And it deletes it.
It deletes the two se.dll files when i open up their folders:
c:\documents and settings\<user>\local settings\temp
c:\windows\temp
Now that I have deleted the DLL's (they no longer exist), every program that relies on some component of windows or something crashes since its tied to the missing DLL i believe. It wont be until i reboot that everything fixes itself.
This includes explorer.exe, Internet Explorer, Outlook Express...to name a few.
Everytime i run an explorer window or internet explorer window i get this...its as if it creates the DLL now when i open it.
Trojan.Win32.startpage.gn
And it deletes it.
It deletes the two se.dll files when i open up their folders:
c:\documents and settings\<user>\local settings\temp
c:\windows\temp
Now that I have deleted the DLL's (they no longer exist), every program that relies on some component of windows or something crashes since its tied to the missing DLL i believe. It wont be until i reboot that everything fixes itself.
This includes explorer.exe, Internet Explorer, Outlook Express...to name a few.
Everytime i run an explorer window or internet explorer window i get this...its as if it creates the DLL now when i open it.
QUOTE(Tokar @ Feb 13 2005, 05:59)
thanks but no thanks.
As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion. Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice. Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).
As fas as the guy who said about closing IE and such. yeah IE is closed when i run it.
I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?
if yes, i'll let you know my results after the runs.
[right][snapback]585461988[/snapback][/right]
As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion. Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice. Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).
As fas as the guy who said about closing IE and such. yeah IE is closed when i run it.
I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?
if yes, i'll let you know my results after the runs.
[right][snapback]585461988[/snapback][/right]
Simmer down... It really isn't that big of a deal. I was just stating a known fact about firefox. It isn't microsoft's fault that it has 95% of the market share, and it subject to numerous vulnerabilities... anyways, you can always try blocking the program from running through software policies if you are runnning XP Professional.
start, run, sfc /scannow to replace any damaged/missing system files
also yes run both adaware http://www.lavasoft.de/ & spybot http://www.safer-networking.org/
also yes run both adaware http://www.lavasoft.de/ & spybot http://www.safer-networking.org/
QUOTE(ghostwind @ Feb 13 2005, 01:11)
Simmer down... It really isn't that big of a deal. I was just stating a known fact about firefox. It isn't microsoft's fault that it has 95% of the market share, and it subject to numerous vulnerabilities... anyways, you can always try blocking the program from running through software policies if you are runnning XP Professional.
[right][snapback]585462029[/snapback][/right]
[right][snapback]585462029[/snapback][/right]
im not upset, nor is the hair on my back raising up like a ****ed off cat. Im just stating what I think when people suggest that.
Tokar, my apologies for making such a generic reply and not reading through your entire post. It was about 5:00 AM in the morning when I posted the first time, half asleep. 
I did read your whole post this time. I actually did some research on the side with this also, and it actually appears that there is a newer CWS variant going around that also has the about:blank homepage hijack in Internet Explorer, but isn't fixed using the methods for the other one. History may actually come to show this variant more insidious than the other one from before!
Here is one thing that may or may not work, but there is no harm in trying it. It's a removal tool from Symantec that is supposed to remove the particular spyware/trojan responsible for it. It may or may not work if you have the new variant, but as I said, there is no harm in trying. Here it is: Backdoor.Agent.B Removal Tool.
Post here to let us know if you have any success at all with it. It will scan your hard drive and remove it if it finds anything, or report that it found nothing if that is the case.
I did read your whole post this time. I actually did some research on the side with this also, and it actually appears that there is a newer CWS variant going around that also has the about:blank homepage hijack in Internet Explorer, but isn't fixed using the methods for the other one. History may actually come to show this variant more insidious than the other one from before!
Here is one thing that may or may not work, but there is no harm in trying it. It's a removal tool from Symantec that is supposed to remove the particular spyware/trojan responsible for it. It may or may not work if you have the new variant, but as I said, there is no harm in trying. Here it is: Backdoor.Agent.B Removal Tool.
Post here to let us know if you have any success at all with it. It will scan your hard drive and remove it if it finds anything, or report that it found nothing if that is the case.
i installed a trial version of webroot spysweeper.
there is so much junk on here that GIANT/Microsoft fails to detect its not even funny.
Even after removing it, it all comes back by itself for Webroot to detect all over again.
Interestingly, Spy Sweeper detects CWS on the system. I have to go back and check the logs as to which is it. All it detects under it though is about 15-20 registry entries...no files or folders. It keeps coming back though.
I tried AdAware but it kept on crashing right as it finishes the scan. I hit cancel twice, and nothing shows up in the results. *shrugs*
there is so much junk on here that GIANT/Microsoft fails to detect its not even funny.
Even after removing it, it all comes back by itself for Webroot to detect all over again.
Interestingly, Spy Sweeper detects CWS on the system. I have to go back and check the logs as to which is it. All it detects under it though is about 15-20 registry entries...no files or folders. It keeps coming back though.
I tried AdAware but it kept on crashing right as it finishes the scan. I hit cancel twice, and nothing shows up in the results. *shrugs*
Did you guys try Spybot Search&Destroy? It's free and it can match the commercial ones.
I wonder where you picked up this "oh so hard to get rid of" variant of cws?
I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?
I wonder how you have it set up?
Anyway for cws there is always this site of course.
I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?
I wonder how you have it set up?
Anyway for cws there is always this site of course.
CODE
http://www.spywareinfo.com/~merijn/cwschronicles.html
I think I had the same problem on my father's computer... SpySweeper would detect the CWS and 'remove it' but after I restarted the machine it would come back...
...I run Ad-AWare, SpySweeper and even Spyware Doctor and nothing would get rid of it... Finally, I was able to get rid of it with HijackThis
In HijackThis I did the following:
I checked all the entries with about:blank, some suspicious BHOs, the two Filter:text and some of the entries that include the 'search, bar'... I had to do it twice since I forgot some entries and after I rebooted CWS had come back... I don't remenber deleting any dlls... But I could check in the backup in case it helps...
Hope you can get rid of it... I know how annoying that can be...
QUOTE(DJ Trauma @ Feb 14 2005, 06:45)
Did you guys try Spybot Search&Destroy? It's free and it can match the commercial ones.
[right][snapback]585468705[/snapback][/right]
[right][snapback]585468705[/snapback][/right]
dont want to burst your bubble..but have you read this article?
http://windowssecrets.com/050127/
QUOTE
Product Adware Fixed False Pos.
Giant AntiSpyware 63% 0
Webroot Spy Sweeper 48% 0
Ad-Aware SE Personal 47% 0
Pest Patrol 41% 10
SpywareStormer 35% 0
Intermute SpySubtract Pro 34% 0
PC Tools Spyware Doctor 33% 0
Spybot Search & Destroy 33% 0
McAfee AntiSpyware 33% 9
Xblock X-Cleaner Deluxe 31% 1
XoftSpy 27% 3
NoAdware 24% 0
Aluria Spyware Eliminator 23% 3
OmniQuad AntiSpy 16% 1
Spyware COP 15% 0
SpyHunter 15% 1
SpyKiller 2005 15% 2
Giant AntiSpyware 63% 0
Webroot Spy Sweeper 48% 0
Ad-Aware SE Personal 47% 0
Pest Patrol 41% 10
SpywareStormer 35% 0
Intermute SpySubtract Pro 34% 0
PC Tools Spyware Doctor 33% 0
Spybot Search & Destroy 33% 0
McAfee AntiSpyware 33% 9
Xblock X-Cleaner Deluxe 31% 1
XoftSpy 27% 3
NoAdware 24% 0
Aluria Spyware Eliminator 23% 3
OmniQuad AntiSpy 16% 1
Spyware COP 15% 0
SpyHunter 15% 1
SpyKiller 2005 15% 2
QUOTE(umteen @ Feb 14 2005, 07:00)
I wonder where you picked up this "oh so hard to get rid of" variant of cws?
I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?
I wonder how you have it set up?
Anyway for cws there is always this site of course.
[right][snapback]585468737[/snapback][/right]
I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?
I wonder how you have it set up?
Anyway for cws there is always this site of course.
CODE
http://www.spywareinfo.com/~merijn/cwschronicles.html
[right][snapback]585468737[/snapback][/right]
its easier for me to play this off as being my computer (which it isnt), than to describe what the problem actually is.
The problem is such:
Someone i do computer work (as in fixing and such) has her computer and 2 other laptops, and her computer, a desktop, is badly infected, which is the computer being described in this thread. Its much harder to me to coach her over the phone or over AIM since she isnt really that fast at doing this computer stuff. Currently Im unable to goto her house to fix her computer because Im at school 100 miles away from her house. The way I'm fixing her computer, though, is by using RealVNC (hopefully you know what this is...if you dont, its like remote desktop, where i can see and control her desktop as if it was my own). This is very helpful and she appreciates me spending the time to try to fix her computer.
Now, having said that...would you rather me play this off as my computer? Or say its a friend's computer and have you say "tell your friend to try this" "tell your friend to try this"...and make it seem like im a middle man relaying messages back and forth?
QUOTE(speak.up @ Feb 14 2005, 07:08)
I think I had the same problem on my father's computer... SpySweeper would detect the CWS and 'remove it' but after I restarted the machine it would come back... ...
I run Ad-AWare, SpySweeper and even Spyware Doctor and nothing would get rid of it... Finally, I was able to get rid of it with HijackThis
In HijackThis I did the following:
I checked all the entries with about:blank, some suspicious BHOs, the two Filter:text and some of the entries that include the 'search, bar'... I had to do it twice since I forgot some entries and after I rebooted CWS had come back... I don't remenber deleting any dlls... But I could check in the backup in case it helps...
Hope you can get rid of it... I know how annoying that can be...
[right][snapback]585468761[/snapback][/right]
...I run Ad-AWare, SpySweeper and even Spyware Doctor and nothing would get rid of it... Finally, I was able to get rid of it with HijackThis
In HijackThis I did the following:
I checked all the entries with about:blank, some suspicious BHOs, the two Filter:text and some of the entries that include the 'search, bar'... I had to do it twice since I forgot some entries and after I rebooted CWS had come back... I don't remenber deleting any dlls... But I could check in the backup in case it helps...
Hope you can get rid of it... I know how annoying that can be...
[right][snapback]585468761[/snapback][/right]
ive done HijackThis a million times.
After cleaning it off, and in the period of time when the computer "seems" fine, all the entries in HijackThis look, and are, completely safe (then again, maybe something is being tied into the AOL Instant Messenger executable...lol).
It takes under a day for everything to come back though...at that point, HijackThis reports the bad O18 entries of the wacky CWS dll in C:\windows\system32, there are two R1 entries for the \sp.dll/blank webpage, and there is i think an O13 entry for that same wacky dll...all of which i remove.
At that same point, opening Explorer windows (such as My Computer), or opening Outlook Express, or Internet Explorer, creates the file C:\windows\temp\se.dll and appends an entry to the startup to do a rundll32 on that dll. Kaspersky sees it being created and reports that its infected with Trojan.Startpage.Win32.gn and it asks me to delete it. Since it denies windows access to the DLL, Windows gives me an error saying that access is denied to the file se.dll. I delete it and it goes away, only to try to recereate adn be redetected by Kaspersky when i open any of these programs again.
Now...at the state of "seeming" clean. If i reboot, it never does that junk with the se.dll. But as i said, it takes less than a day while the comptuer is running to reinfect itself.
Ive said it before and i'll say it again...
Format, format, format...
Dont say its not an option its just pure laziness... Do a proper backup and format
Format, format, format...
Dont say its not an option its just pure laziness... Do a proper backup and format
QUOTE(dan @ Feb 14 2005, 07:23)
Ive said it before and i'll say it again...
Format, format, format...
Dont say its not an option its just pure laziness... Do a proper backup and format
[right][snapback]585468819[/snapback][/right]
Format, format, format...
Dont say its not an option its just pure laziness... Do a proper backup and format
[right][snapback]585468819[/snapback][/right]
in most case circumstances i would do that.
if you read up 3 posts including yours, you will see that the problem is not with my computer, rather with a person i do computer work for. I havent said such until now because i figured it would easier for you guys to say to have ME to something, rather than treat me as a middle man and say for "her to try something". Maybe its not easier, but from my experiences with such threads in which its a friend's computer who has the problem, id rather be helping a person straight up, because i get the feeling with such threads that he has to relay that message onto the friend, he does it, sends back the results, then the post comes in, and the cycle starts all over. Its kind of something that makes you feel negative about the original poster, so much so that you dont feel like waiting for such delayed responses.
Now, is formatting an option?...for now, its not. 1) she isnt capable of formatting 2) im 100 miles away to manually do it (since im the only one she knows who can do it), and i really dont want to be backing up her stuff over VNC having her sit at the computer and pop in blank CD's everytime im ready to make a new CD.
Since Im going home for presidents weekend (home being where she is located as well), I will suggest it to her. Otherwise, until then I will try to fix this via conventional antispyware means over RealVNC.
Believe me...Im not trying to say that this is bad advice like the guy who suggested using Firefox (sure using Firefox will get around those nasty about:blank problems, but what about the infection...it still remains right?...right. besides, its not only the about:blank thing, the infection causes problems to explorer.exe and a lot of other programs). I have suggested formatting to her before, but she said she didnt know what the hell to do.. Its certainly something i would do in her case, because i have neither the inclination or the time to deal with such reoccuring problems on my own system. Since its someone who pays me, and pays me well, i feel compelled to provide such live assistance, and will therefore try my best until i deem it necessary to format...which i would say has an ETA of 4 days (when i go home).
... I dunno... it didn't come back anymore after I run HijackThis twice...
...You could run 'Bazooka Adware and Spyware Scanner'... it doesn't clean the computer but identifies the spyware/adware others miss and tells how you can remove it manually...
See this link: http://www.download.com/Get-rid-of-spyware...94.html?tag=txt
Did you already look at your startup entries?
QUOTE(speak.up @ Feb 14 2005, 07:36)
... I dunno... it didn't come back anymore after I run HijackThis twice... ...
You could run 'Bazooka Adware and Spyware Scanner'... it doesn't clean the computer but identifies the spyware/adware others miss and tells how you can remove it manually...
See this link: http://www.download.com/Get-rid-of-spyware...94.html?tag=txt
Did you already look at your startup entries?
[right][snapback]585468869[/snapback][/right]
...You could run 'Bazooka Adware and Spyware Scanner'... it doesn't clean the computer but identifies the spyware/adware others miss and tells how you can remove it manually...
See this link: http://www.download.com/Get-rid-of-spyware...94.html?tag=txt
Did you already look at your startup entries?
[right][snapback]585468869[/snapback][/right]
the start up lists 3 things
AOL Instant Messenger
Kaspersky AntiVirus
Microsoft AntiSpyware...
When the CWS thing reinfects i get a fourth, which i remove, which wants to do a rundll32 on c:\windows\temp\se.dll.
As far as services go...unlike one computer i had to deal with which had like 5 or so spyware things integrate itself as microsoft services in services.msc (showing up as like USB Driver or so), there is no such services that seem out of place.
Ive heard of bazooka before. I tried it way back in the past and i wasnt very satisfied. Personal opinion, but ill try it out again when i get some time. I have to leave soon to goto class...
Have you tried toolbarcop?
I had similar problems with a new version of VX2 on a machine I was asked to work on. Damn it was impossible to get rid of. Hidden DLL's, hooked into the TCP/IP stack, what a mess. To get that I had to use LPS? LSP? to get rid of the one in the stack.
In the end, I had to boot into safemode, the first attempt that was what I did and it couldn't be cleaned...it would crash the taskbar and reload itself.
I used killbox to end active processes and replace them with dummy files on reboot, hijackthis to double check for active DLL's to make sure I got them all, Ad-aware to do an active scan of the drive after.
In the end, I had to boot into safemode, the first attempt that was what I did and it couldn't be cleaned...it would crash the taskbar and reload itself.
I used killbox to end active processes and replace them with dummy files on reboot, hijackthis to double check for active DLL's to make sure I got them all, Ad-aware to do an active scan of the drive after.
i have toolbarcop running.
the Run-Startup items look fine...
the Menu Extensions look fine
the only BHO is for google toolbar
The Browser Extensions are fine
The only questionable ones are Toolbars....
there are 6 entries labeled "(empty)"
the Run-Startup items look fine...
the Menu Extensions look fine
the only BHO is for google toolbar
The Browser Extensions are fine
The only questionable ones are Toolbars....
there are 6 entries labeled "(empty)"
My mates comp was infected with CWS, i told him its not worth the bother of trying to remove it cos its a hell of alot of work, its better off just backing your data and just reinstalling a clean copy of WinXP 
Problem solved with the minimal amount of stress.
Problem solved with the minimal amount of stress.
See this new post , helpful I think.
http://www.neowin.net/forum/index.php?showtopic=285356
http://www.neowin.net/forum/index.php?showtopic=285356
I use Spybot Search & Destroy, if you immunize it will keep your pc safe from items while you surf, you can set it up to detect changes to the registry such as ie startpages etc and have a promt askign you for permission that you can deny.
@Umteen: pretty lacking threat there...one guy makes mention of SpyBot andother CWShredder, things mentioned many times here 
.
@JohnW: Actually I installed WebRoot Spysweeper, AdAware and Spy Bot. All three of them found CoolWebSearch entries and removed them all. Im going to wait a day or so to see if any of this junk comes back.
.@JohnW: Actually I installed WebRoot Spysweeper, AdAware and Spy Bot. All three of them found CoolWebSearch entries and removed them all. Im going to wait a day or so to see if any of this junk comes back.
I thought that cwshredder was a newer version than the one you had tried, I was wrong though it appears.
Also there was the "CWSearch.SmartKiller removal tool" on that page.
Also there was the "CWSearch.SmartKiller removal tool" on that page.
OK i think i have pinpointed the problem, but i cant resolve it...
I think the problems on the computer are installing these 3 TMP files in the Temp folder (in local settings).
They are named:
~DF5740.tmp
~DFA8DA.tmp
~DFBCEF.tmp
Well the names change actually...but its always three temp files whose names start with ~DF...
When i try to delete them while logged in, i cant because all three are used.
Having said that im remotely doing the fixing, I cant go into the recovery console to delete them...so I needed to get clever.
I logged in as Administrator, and just deleted them manually, which worked, the thing is though similar tmp files were created under the administrator account in the temp folder. But once i log in as the user again, they get recreated.
I figured then that I would rid the system of a link to the Temp folder. There is something in the registry (after having to fix this with the Recent Documents problem in the recent past) that points to the temp folder, with the entry: %USERPROFILE%\Local Settings\Temp
Figuring i would remove the link to that, would rid me of the files being created.
Well, they just created themself in the Documents and Settings folder instead...
I cant get rid of them and these are the only files that are left over after deep cleaning the system with every known good adware remover program known to man.
I think the problems on the computer are installing these 3 TMP files in the Temp folder (in local settings).
They are named:
~DF5740.tmp
~DFA8DA.tmp
~DFBCEF.tmp
Well the names change actually...but its always three temp files whose names start with ~DF...
When i try to delete them while logged in, i cant because all three are used.
Having said that im remotely doing the fixing, I cant go into the recovery console to delete them...so I needed to get clever.
I logged in as Administrator, and just deleted them manually, which worked, the thing is though similar tmp files were created under the administrator account in the temp folder. But once i log in as the user again, they get recreated.
I figured then that I would rid the system of a link to the Temp folder. There is something in the registry (after having to fix this with the Recent Documents problem in the recent past) that points to the temp folder, with the entry: %USERPROFILE%\Local Settings\Temp
Figuring i would remove the link to that, would rid me of the files being created.
Well, they just created themself in the Documents and Settings folder instead...
I cant get rid of them and these are the only files that are left over after deep cleaning the system with every known good adware remover program known to man.
Lavasoft Ad-Aware has just released new definitions that include updates for cws.
Tokar,
I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.
BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13
http://www.intermute.com/spysubtract/cwshr...r_download.html
I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.
BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13
http://www.intermute.com/spysubtract/cwshr...r_download.html
QUOTE(JRosenfeld @ Feb 16 2005, 17:05)
Tokar,
I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.
BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13
http://www.intermute.com/spysubtract/cwshr...r_download.html
[right][snapback]585483738[/snapback][/right]
I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.
BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13
http://www.intermute.com/spysubtract/cwshr...r_download.html
[right][snapback]585483738[/snapback][/right]
lol have you even read the past 30 posts? ive been using this new version since day 1....
i should just edit the post and say in the description i have tried CWS 2.13 over and over...
Id like to say that those TMP files cant be deleted after reboot. They end up getting used again. If i delete them by any means (recovery console, logging in as someone else), the next time i log in they are recreated under a different name...
what's up with all the trolling on CWS, i use it on all my computers and it provides the same if not better than google search
Lol @ kawai. I had this blasted thing once and it was a bitch to get rid of. Had to remove it manually in the end.
Try this to remove coolweb search attached is About:Buster 4.0 it was made to only remove coolweb search and does a good job. here is how to use it
1 close all apps
2 run About:Buster 4.0 a couple times
3 run hijackthis and remove
~DF5740.tmp
~DFA8DA.tmp
~DFBCEF.tmp
4 Reboot dont open Ie explore this is because there is still exe programs running in memory
5 after restart run About:Buster 4.0 to see if any thing is found if not it is safe to open IE again
1 close all apps
2 run About:Buster 4.0 a couple times
3 run hijackthis and remove
~DF5740.tmp
~DFA8DA.tmp
~DFBCEF.tmp
4 Reboot dont open Ie explore this is because there is still exe programs running in memory
5 after restart run About:Buster 4.0 to see if any thing is found if not it is safe to open IE again
Tokar
My first time on this board but I'm a regular on castlecops and spywareinfo.
I am having the exact same problem with one of my pc's.
Only difference is that I'm running Windows ME as my OS.
As to the problem with this "se.dll" you are exactly right that is a beast to get rid of. It has to be a new variant that has a file somewhere that I haven't recognized. Another thing I noticed is that a program titled Search Assistant is generated in Control Panel's Add\Remove Programs. Of course it will not uninstall there so I get rid of it in regedit. I also get pop-ups on my desktop even when I'm not using IE.
Now let me just say I do all of these things.
Try to remove the the Hijack in Standard Mode with HJT, Adaware, and Spybot
That never works fully because se.dll can't be removed when it's in use
Reboot in safe mode
Disable system restore
Delete c:\windows\temp\se.dll and it's random .dll companion in c:\windows\system
Delete all temp internet files, cookies, history, and temp files.
Reset all ie settings.
Run HJT, delete all about:blank's and rundll32 c:windows\temp\se.dll sp.html and anything else that shouldn't be there
Run Spybot S&D
Run Ad-aware SE
Run that seemly useless About:Buster 4.0 ("outdated", new variants are smarter than this prog)
Open up msconfig and kill the sp startup that corresponds
Open up regedit and delete all mentionings of about:blank, sp.html, se.dll, random .dll that generates in the c:\windows\system, and search assistant uninstall (see above)
Restart PC
Run HJT, Adaware, and Spybot.......find there is nothing left
Enable Spybot S&D's resident helper to block any changes to my registry.
I stopped using IE, disabled all of it's java and activex abilities.
Leave computer alone for a few hours and *POW* it all comes back
Now I'm assuming this is what happens to you to.......so if anybody sees a flaw in this approach, please offer some insight. If not, don't rehash the same old fixes because they are not working on this bugger.
Now the only thing I can think of is that there is a file somewhere. A .dll, .exe, whatever, that keeps redownloading all of this Hijack all over again when you aren't looking.
If we find that, we beat it.
My first time on this board but I'm a regular on castlecops and spywareinfo.
I am having the exact same problem with one of my pc's.
Only difference is that I'm running Windows ME as my OS.
As to the problem with this "se.dll" you are exactly right that is a beast to get rid of. It has to be a new variant that has a file somewhere that I haven't recognized. Another thing I noticed is that a program titled Search Assistant is generated in Control Panel's Add\Remove Programs. Of course it will not uninstall there so I get rid of it in regedit. I also get pop-ups on my desktop even when I'm not using IE.
Now let me just say I do all of these things.
Try to remove the the Hijack in Standard Mode with HJT, Adaware, and Spybot
That never works fully because se.dll can't be removed when it's in use
Reboot in safe mode
Disable system restore
Delete c:\windows\temp\se.dll and it's random .dll companion in c:\windows\system
Delete all temp internet files, cookies, history, and temp files.
Reset all ie settings.
Run HJT, delete all about:blank's and rundll32 c:windows\temp\se.dll sp.html and anything else that shouldn't be there
Run Spybot S&D
Run Ad-aware SE
Run that seemly useless About:Buster 4.0 ("outdated", new variants are smarter than this prog)
Open up msconfig and kill the sp startup that corresponds
Open up regedit and delete all mentionings of about:blank, sp.html, se.dll, random .dll that generates in the c:\windows\system, and search assistant uninstall (see above)
Restart PC
Run HJT, Adaware, and Spybot.......find there is nothing left
Enable Spybot S&D's resident helper to block any changes to my registry.
I stopped using IE, disabled all of it's java and activex abilities.
Leave computer alone for a few hours and *POW* it all comes back
Now I'm assuming this is what happens to you to.......so if anybody sees a flaw in this approach, please offer some insight. If not, don't rehash the same old fixes because they are not working on this bugger.
Now the only thing I can think of is that there is a file somewhere. A .dll, .exe, whatever, that keeps redownloading all of this Hijack all over again when you aren't looking.
If we find that, we beat it.
HELP FOR SP.DLL SE.DLL COOLWEB SEARCH ABOUT:BLANK
Hello everyone!!!
i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..
heres what..
it is a virus.. you have to get rid of it..
all you have to do is to get a kit..
1. download (or if you have) HijackThis and Kill box softwares. well use it later.
2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)
3. close all ie programs.
4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.
5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll / sp.dll/ BHO no name etc.)
6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).
7. reboot you computer
8. press f8 to select command prompt (in windows 98) for xp use startup.
9. type cd windows\temp
10. type del *.* - this will delete all the files in temp folder
11. restart your pc.
i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you.. please send me email if you have questions.
rodney_redstalker@yahoo.com / rodney@mtc.gov.ph
GUD LUCK!!!
Hello everyone!!!
i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..
heres what..
it is a virus.. you have to get rid of it..
all you have to do is to get a kit..
1. download (or if you have) HijackThis and Kill box softwares. well use it later.
2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)
3. close all ie programs.
4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.
5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll / sp.dll/ BHO no name etc.)
6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).
7. reboot you computer
8. press f8 to select command prompt (in windows 98) for xp use startup.
9. type cd windows\temp
10. type del *.* - this will delete all the files in temp folder
11. restart your pc.
i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you.. please send me email if you have questions.
rodney_redstalker@yahoo.com / rodney@mtc.gov.ph
GUD LUCK!!!
QUOTE(Tokar @ Feb 12 2005, 07:24)
Windows XP Pro
My broser keeps getting hijacked by CWS. CWShredder says its CWS.HiddenDLL and it removes it, or so it says. Only to come back a efw reboots later.
When doing HijackThis without the CWShredder program, it finds a few problematic entries...
it finds that two of the IE webpages are set to CWS standard page:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html
Then it finds:
O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll
And:
O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.
And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.
Now...
If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns. If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.
After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder. But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).
I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.
I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location. But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.
I used RegistrarLite and it said the key size was 0, that nothing was there.
So I'm clueless. I have no idea how to remove this thing.
Anyone have any ideas?
[right][snapback]585456807[/snapback][/right]
My broser keeps getting hijacked by CWS. CWShredder says its CWS.HiddenDLL and it removes it, or so it says. Only to come back a efw reboots later.
When doing HijackThis without the CWShredder program, it finds a few problematic entries...
it finds that two of the IE webpages are set to CWS standard page:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html
Then it finds:
O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll
And:
O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll
Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.
And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.
Now...
If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns. If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.
After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder. But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).
I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.
I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location. But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.
I used RegistrarLite and it said the key size was 0, that nothing was there.
So I'm clueless. I have no idea how to remove this thing.
Anyone have any ideas?
[right][snapback]585456807[/snapback][/right]
Redstalker,
Thanks for you post -- unfortunately folloiwng the instructions did not remove the problem. I have the same exact symptoms as Tokar and have tried all the same tricks he has used all with the same result, i.e. it all comes back again!!!
Norton did find the "TrojanStartPage" virus in a couple of suspecious DLL's including "se.dll" I deleted them all, followed the rest of the instructions and at first thought that finally someone figured out how to kill it for good -- but to no avail it was all back less than 24 hours later.
Currently trying the Symantec instructions for removing Trojan.StartPage.G (there are at least 3 versions F,G, and H) -- I'll post the results after 24hrs to see if it really stays away.
Any other thoughts or suggestions on how to get rid of this most insidious pest -- besides reloading the entire OS -- would be greatly appreicate.
WF Dragon
Thanks for you post -- unfortunately folloiwng the instructions did not remove the problem. I have the same exact symptoms as Tokar and have tried all the same tricks he has used all with the same result, i.e. it all comes back again!!!
Norton did find the "TrojanStartPage" virus in a couple of suspecious DLL's including "se.dll" I deleted them all, followed the rest of the instructions and at first thought that finally someone figured out how to kill it for good -- but to no avail it was all back less than 24 hours later.
Currently trying the Symantec instructions for removing Trojan.StartPage.G (there are at least 3 versions F,G, and H) -- I'll post the results after 24hrs to see if it really stays away.
Any other thoughts or suggestions on how to get rid of this most insidious pest -- besides reloading the entire OS -- would be greatly appreicate.
WF Dragon
QUOTE(redstalker @ Feb 21 2005, 06:42)
HELP FOR SP.DLL SE.DLL COOLWEB SEARCH ABOUT:BLANK
Hello everyone!!!
i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..
heres what..
it is a virus.. you have to get rid of it..
all you have to do is to get a kit..
1. download (or if you have) HijackThis and Kill box softwares. well use it later.
2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)
3. close all ie programs.
4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.
5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll / sp.dll/ BHO no name etc.)
6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).
7. reboot you computer
8. press f8 to select command prompt (in windows 98) for xp use startup.
9. type cd windows\temp
10. type del *.* - this will delete all the files in temp folder
11. restart your pc.
i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you.. please send me email if you have questions.
rodney_redstalker@yahoo.com / rodney@mtc.gov.ph
GUD LUCK!!!
[right][snapback]585509071[/snapback][/right]
Hello everyone!!!
i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..
heres what..
it is a virus.. you have to get rid of it..
all you have to do is to get a kit..
1. download (or if you have) HijackThis and Kill box softwares. well use it later.
2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)
3. close all ie programs.
4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.
5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll / sp.dll/ BHO no name etc.)
6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).
7. reboot you computer
8. press f8 to select command prompt (in windows 98) for xp use startup.
9. type cd windows\temp
10. type del *.* - this will delete all the files in temp folder
11. restart your pc.
i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you.. please send me email if you have questions.
rodney_redstalker@yahoo.com / rodney@mtc.gov.ph
GUD LUCK!!!
[right][snapback]585509071[/snapback][/right]
i gave up man.
I backup my files and all and reinstalled.
I have neither the time or the inclination to deal with the problem anymore.
edit: by the way wfdragon...i did the same thing as you...i went to some antivirus library site, and checked out all the variants of this trojan.startpage.win32.XX.
There are quite a few of them. A lot of them are outdated though, and have the obvious executable trojan.startpage.win32.XX.exe. And the directions for removing such was just to stop the process and delete the EXE.
I went through them all, and they made references to a few files i had seen over the period of trying to fix the problem, none of which eixsted during that time when the comptuer seemed fine. None of the directions helped me fix it.
I even used an updated HOSTS file from some site that is over 200 KB and blocks a boatload of ad sites...that did no good as it must be contacting some site thats not on there.
Considering that i was doing this over remote connection software i never got the chance to test out the system with no internet.
Would have been interesting to see if it recreated the file if the internet was off.
I backup my files and all and reinstalled.
I have neither the time or the inclination to deal with the problem anymore.
edit: by the way wfdragon...i did the same thing as you...i went to some antivirus library site, and checked out all the variants of this trojan.startpage.win32.XX.
There are quite a few of them. A lot of them are outdated though, and have the obvious executable trojan.startpage.win32.XX.exe. And the directions for removing such was just to stop the process and delete the EXE.
I went through them all, and they made references to a few files i had seen over the period of trying to fix the problem, none of which eixsted during that time when the comptuer seemed fine. None of the directions helped me fix it.
I even used an updated HOSTS file from some site that is over 200 KB and blocks a boatload of ad sites...that did no good as it must be contacting some site thats not on there.
Considering that i was doing this over remote connection software i never got the chance to test out the system with no internet.
Would have been interesting to see if it recreated the file if the internet was off.
Turn of System Restore
Run msconfig and turn everything off.
Reboot into Safe Mode
Run MS Antipsyware
Check for funny folders on your C:\ drive
In the Windows directory check for files with newer dates and zero info when you hover your mouse over them. Compare the *exe, *.dll, and *.dat files against your windows system files dates. Sort by date and all the crap will be near the top.
Search the C:\windows\system32 folder for the same files as above.
As you delete these files make a note of them and when finished fire up regedit and search for references to the deleted files.
After cleaning your registry with regedit (don't use 3rd party tools to do this)
Reboot into Safe Mode again and run MS Antispyware. You should be clean at this point.
Reboot normally and run msconfig again and turn on only those programs that you know to be valid windows or trusted 3rd party programs.
Reboot your machine and CWS should be completely removed.
Turn System Restore back on.
Run msconfig and turn everything off.
Reboot into Safe Mode
Run MS Antipsyware
Check for funny folders on your C:\ drive
In the Windows directory check for files with newer dates and zero info when you hover your mouse over them. Compare the *exe, *.dll, and *.dat files against your windows system files dates. Sort by date and all the crap will be near the top.
Search the C:\windows\system32 folder for the same files as above.
As you delete these files make a note of them and when finished fire up regedit and search for references to the deleted files.
After cleaning your registry with regedit (don't use 3rd party tools to do this)
Reboot into Safe Mode again and run MS Antispyware. You should be clean at this point.
Reboot normally and run msconfig again and turn on only those programs that you know to be valid windows or trusted 3rd party programs.
Reboot your machine and CWS should be completely removed.
Turn System Restore back on.
well first off...this thread should be closed, and the posts used for information purposes. I have already solved my problem by formatting and reinstalling.
Neoforcer: that forum post had nothing to do with my problem. Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?
Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.
Neoforcer: that forum post had nothing to do with my problem. Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?
Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.
To all -- I'm happy to report that 24 hours later I have not seen any evidence of the trojan returning -- while I still don't believe anyone fully understands what we are dealing with -- for now -- following Redstalker's post and Symantec's instructions on how to get rid of Trojan.StartPage.G (note not all steps found any files to delete) it look like at least there may be a wasy to get rid of the l1ttle pest!! Please let me knwo if it works for you too,
Regards,
WF Dragon
Regards,
WF Dragon
QUOTE(Tokar @ Feb 23 2005, 04:30)
well first off...this thread should be closed, and the posts used for information purposes. I have already solved my problem by formatting and reinstalling.
Neoforcer: that forum post had nothing to do with my problem. Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?
Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.
[right][snapback]585520457[/snapback][/right]
Neoforcer: that forum post had nothing to do with my problem. Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?
Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.
[right][snapback]585520457[/snapback][/right]
I'm still having this same problem. I'm gonna try and do the same as dragon.
But I think I went down this path before.
I guess Tokar's fix is looking better and better but I don't want to give in just yet.
But I think I went down this path before.
I guess Tokar's fix is looking better and better but I don't want to give in just yet.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.