www.coolwebsearch.com

By Thomas O'Malley
in Smart Home, Network & Security

 Share

Recommended Posts

Apprentice

Thomas O'Malley

Posted
  • Author
Posted
Sometimes it's best to just throw in the towel and format.

I know thats the simple answer, but it is effective. Once you have formatted, install

spyware blaster etc, and hopefully it won't happen again.

585231489[/snapback]

And loose all the music files on my computer? No way.

Grand Master

Farstrider

Posted
Posted

Ok here goes another effort, lets see if this works:

This is CoolWebSearch.qttasks manual removal:

Delete registry values:

Browse to the key:

'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'

Delete the value 'QuickTime Task'

Delete files:

qttasks.exe

Automatic removal:

Link

Apprentice

Thomas O'Malley

Posted
  • Author
Posted

I want to thank everybody who gave me hints and tips concerning this problem. At this moment everything seems under control en the CWS-'things' seems disappeared for the last 4 hours or so. Even after rebooting the system. The only thing I did was scan the disks over and over again with Spy Sweeper. After the fifteenth scan it seems gone. Let's hope it stays this way, also when I start the computer back up in the morning. A very good night to all from Belgium, Europe, and best to all of you.

In case the problem remains you'll see this topic back on top of the list. ;)

Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa :D

Mentor

Night.Hawk

Posted
Posted
I want to thank everybody who gave me hints and tips concerning this problem.  At  this moment everything seems under control en the CWS-'things' seems disappeared for the last 4 hours or so.  Even after rebooting the system.  The only thing I did was scan the disks over and over again with Spy Sweeper.  After the fifteenth scan it seems gone.  Let's hope it stays this way, also when I start the computer back up in the morning.  A very good night to all from Belgium, Europe, and best to all of you.

In case the problem remains you'll see this topic back on top of the list.  ;)

Time for a yell: Yiiiiiiiiiiiiiihaaaaaaaaaaaa  :D

585232209[/snapback]

YAY!! :D Party Party! :fun: Let's hope it stays gone.

Rising Star

Avalanche

Posted
Posted

How come that such "tools" are legal ( or not ? ), blocking sites and programs without approving this is illegal as it allmost takes control of your pc and I also don't understand that after all the things we hear in the news and websites about the fight for spam by microsoft, ISP's, government, ... that that thing is still up ???

Please enlighten me

Experienced

LastSamurai

Posted
Posted (edited)

dude, you see those R1 entries and the last 023 entry called "Remote Procedure Call (RPC) Helper" in your Hijackthis Log? those are the bad ones causing the problem. like I said before, get a software called "About:Buster", search google for "home search assistant removal", follow the instructions to remove the malware.

Edited by LastSamurai
Apprentice

Thomas O'Malley

Posted
  • Author
Posted
dude, you see those R1 entries and the last 023 entry called "Remote Procedure Call (RPC) Helper" in your Hijackthis Log? those are the bad ones causing the problem. like I said before, get a software called "About:Buster", search google for "home search assistant removal", follow the instructions to remove the malware.

585237571[/snapback]

I installed all these downloads and made them run. http://www.bleepingcomputer.com/forums/tutorial85.html

I also downloaded a file called aboutbuster like you recommended.

Still the problem remains.

Community Regular

siddhs

Posted
Posted (edited)

Awright Guysss...

The SpyWare :devil: is here.....

I hate this f***** spywares.....I was looked down upon by my room-mates when I got infected :pinch:

So...here it goes...

Download, save to desktop, but do not run yet:

WinSock

and

HosterHoster

Also Download -- Killbox

Since you already have HijackThis....Try doing the following.....

Go to C Drive....and do the following....

select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Then run this application...FindIT

Unzip the contents of the new finditnt2000xp.zip to a convenient location. Must be unzipped. It will not work properly if run from within the zip.

1. Navigate to the Find It NT-2K-XP folder and double-click on find.bat.

2. A command prompt will open and it will search your computer for malicious files.

3. Once it has finished a Notepad window will pop up with output.txt.

Please try to avoid rebooting or swirtching users until instructed to do so. Existing file names change and new ones are created each time.

Dont thank me ....not my work :)

-Siddhs

Edited by siddhs
Apprentice

Thomas O'Malley

Posted
  • Author
Posted
here is a better removal guide:

http://www.short-media.com/review.php?r=259&p=2

if you're not sure which files and hijackthis entries are bad ones, please post a new log cuz malware files' names might change after you reboot system.

585240290[/snapback]

Thx dude, I'll let you know if this works. I can't do it all in one day. Pc goes off now, and I'll try it in a couple of days.

If this doesn't work I'll try siddhs' way.

See you in a few days, hopefully with good news ;)

Grand Master

Farstrider

Posted
Posted

These are the CooWebSearch varieties, a $hit load of them as you can see!

Go here and all the manual instructions are available, but you must ID the variant!

Secure Most

CoolWebSearch

CoolWebSearch.Alfasearch

CoolWebSearch.control

CoolWebSearch.cpan

CoolWebSearch.ctrlpan

CoolWebSearch.DNSE

CoolWebSearch.DNSErr

CoolWebSearch.ehttp

CoolWebSearch.excel10

CoolWebSearch.explorer32

CoolWebSearch.iefeatsl

CoolWebSearch.iefeatslupdate

CoolWebSearch.image

CoolWebSearch.keymgrldr

CoolWebSearch.ld

CoolWebSearch.madfinder

CoolWebSearch.mssearch

CoolWebSearch.mstaskm

CoolWebSearch.msupdate

CoolWebSearch.msupdater

CoolWebSearch.mtwirl32

CoolWebSearch.notepad32

CoolWebSearch.olehelp

CoolWebSearch.qttasks

CoolWebSearch.quicken

CoolWebSearch.soundmx

CoolWebSearch.sys

CoolWebSearch.time

CoolWebSearch.winproc32

CoolWebSearch.xplugin

CoolWebSearch.xpsystem

1. Remove coolwebsearch: DataNotary, BootConf and MSInfo variants

Turn off user-style sheet option at Tools->Internet Options->Accessibility in your Internet Explorer.

You should now be able to delete the user stylesheet from the Windows folder. With DataNotary it is called 'default.css'; with MSInfo it is called 'oslogo.bmp'; with Bootconf it may be either.

2. Remove coolwebsearch: MSInfo variant Delete the line ?run=C:WINDOWS..PROGRA~1COMMON~1MICROS~1MSINFOmsinfo.exe? from win.ini file in your Windows folder. This line may be changed a little on different systems, but will always point to msinfo.exe.

Delete the ?c:ProgramFilesCommon FilesMSInfo' folder.

3. Remove coolwebsearch: BootConf, SvcHost variants Open the registry and find the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the bootconf.exe or svchost.exe entry

You can then delete the bootconf.exe or svchost32.exe file from the System folder (called 'System32' on Windows NT/2000/XP).

4. Remove coolwebsearch: BootConf, SvcHost, MSInfo variants Find the file ?HOSTS? with no extension in the driversetc folders in your System folder

Either edit it to remove the hijacker entries, or simply delete the file.

5. Remove coolwebsearch: PnP variant

Find the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the SysPnP entry

Also delete the oemsysinf.pnp file from the 'inf' folder inside your Windows folder.

6. Remove coolwebsearch: MSSPI variant This is very tricky to remove by hand as this can result in loosing your internet connection. It is advised that you do not do this by hand. Open the registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinSock2 ParametersProtocol_Catalog9Catalog_Entries Delete the subkeys starting with the path of msspi.dll Renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left. Open the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Delete the a msupdate entry if it is there

Restart the computer and you should be to delete msspi.dll in the System folder (called 'System32' on Windows NT/2000/XP), along with msupdate.exe if it is present.

7. Remove coolwebsearch: DNSRelay variant Open a DOS command prompt window and enter the following commands: cd "%WinDir%System" regsvr32 /u dnsrelay.dll Restart

You should be able to delete the file 'dnsrelay.dll' in the System folder (called 'System32' on Windows NT/2000/XP).

After you have removed any variants of CoolWebSearch which you have there is one last thing which you need to do to complete the removal process. Go to Internet Options->Programs->Reset Web Settings in your Internet Explorer to remove the hijacked home page and search settings.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.