CoolWebSearch wont go away

By Tokar
in Microsoft (Windows)

 Share

Recommended Posts

Veteran

Tokar

Posted
  • Author
Posted
... I dunno... it didn't come back anymore after I run HijackThis twice...  :blink: ...

You could run 'Bazooka Adware and Spyware Scanner'... it doesn't clean the computer but identifies the spyware/adware others miss and tells how you can remove it manually...

  See this link: http://www.download.com/Get-rid-of-spyware...94.html?tag=txt

Did you already look at your startup entries?

:cool:

585468869[/snapback]

the start up lists 3 things

AOL Instant Messenger

Kaspersky AntiVirus

Microsoft AntiSpyware...

When the CWS thing reinfects i get a fourth, which i remove, which wants to do a rundll32 on c:\windows\temp\se.dll.

As far as services go...unlike one computer i had to deal with which had like 5 or so spyware things integrate itself as microsoft services in services.msc (showing up as like USB Driver or so), there is no such services that seem out of place.

Ive heard of bazooka before. I tried it way back in the past and i wasnt very satisfied. Personal opinion, but ill try it out again when i get some time. I have to leave soon to goto class...

Neowinian

Mashiki

Posted
Posted

I had similar problems with a new version of VX2 on a machine I was asked to work on. Damn it was impossible to get rid of. Hidden DLL's, hooked into the TCP/IP stack, what a mess. To get that I had to use LPS? LSP? to get rid of the one in the stack.

In the end, I had to boot into safemode, the first attempt that was what I did and it couldn't be cleaned...it would crash the taskbar and reload itself.

I used killbox to end active processes and replace them with dummy files on reboot, hijackthis to double check for active DLL's to make sure I got them all, Ad-aware to do an active scan of the drive after.

Rising Star

slim_Az

Posted
Posted

My mates comp was infected with CWS, i told him its not worth the bother of trying to remove it cos its a hell of alot of work, its better off just backing your data and just reinstalling a clean copy of WinXP :rolleyes:

Problem solved with the minimal amount of stress.

Veteran

Tokar

Posted
  • Author
Posted

@Umteen: pretty lacking threat there...one guy makes mention of SpyBot andother CWShredder, things mentioned many times here :).

@JohnW: Actually I installed WebRoot Spysweeper, AdAware and Spy Bot. All three of them found CoolWebSearch entries and removed them all. Im going to wait a day or so to see if any of this junk comes back.

Veteran

Tokar

Posted
  • Author
Posted (edited)

OK i think i have pinpointed the problem, but i cant resolve it...

I think the problems on the computer are installing these 3 TMP files in the Temp folder (in local settings).

They are named:

~DF5740.tmp

~DFA8DA.tmp

~DFBCEF.tmp

Well the names change actually...but its always three temp files whose names start with ~DF...

When i try to delete them while logged in, i cant because all three are used.

Having said that im remotely doing the fixing, I cant go into the recovery console to delete them...so I needed to get clever.

I logged in as Administrator, and just deleted them manually, which worked, the thing is though similar tmp files were created under the administrator account in the temp folder. But once i log in as the user again, they get recreated.

I figured then that I would rid the system of a link to the Temp folder. There is something in the registry (after having to fix this with the Recent Documents problem in the recent past) that points to the temp folder, with the entry: %USERPROFILE%\Local Settings\Temp

Figuring i would remove the link to that, would rid me of the files being created.

Well, they just created themself in the Documents and Settings folder instead...

I cant get rid of them and these are the only files that are left over after deep cleaning the system with every known good adware remover program known to man.

Edited by Tokar
Proficient

JRosenfeld

Posted
Posted

Tokar,

I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.

BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13

http://www.intermute.com/spysubtract/cwshr...r_download.html

Veteran

Tokar

Posted
  • Author
Posted
Tokar,

I think those files ~DFxxxx.temp are generated when you open an app that uses .NET framework 1.1 (at least that's the case with me). They can be deleted after a reboot.

BTW CWshredder is now owned by Intermute. Latest versiuon is 2.13

http://www.intermute.com/spysubtract/cwshr...r_download.html

585483738[/snapback]

lol have you even read the past 30 posts? ive been using this new version since day 1....

i should just edit the post and say in the description i have tried CWS 2.13 over and over...

Id like to say that those TMP files cant be deleted after reboot. They end up getting used again. If i delete them by any means (recovery console, logging in as someone else), the next time i log in they are recreated under a different name...

Enthusiast

Neoforcer

Posted
Posted

Try this to remove coolweb search attached is About:Buster 4.0 it was made to only remove coolweb search and does a good job. here is how to use it

1 close all apps

2 run About:Buster 4.0 a couple times

3 run hijackthis and remove

~DF5740.tmp

~DFA8DA.tmp

~DFBCEF.tmp

4 Reboot dont open Ie explore this is because there is still exe programs running in memory

5 after restart run About:Buster 4.0 to see if any thing is found if not it is safe to open IE again

AboutBuster.zip

Neowinian

robnovice

Posted
Posted

Tokar

My first time on this board but I'm a regular on castlecops and spywareinfo.

I am having the exact same problem with one of my pc's.

Only difference is that I'm running Windows ME as my OS.

As to the problem with this "se.dll" you are exactly right that is a beast to get rid of. It has to be a new variant that has a file somewhere that I haven't recognized. Another thing I noticed is that a program titled Search Assistant is generated in Control Panel's Add\Remove Programs. Of course it will not uninstall there so I get rid of it in regedit. I also get pop-ups on my desktop even when I'm not using IE.

Now let me just say I do all of these things.

Try to remove the the Hijack in Standard Mode with HJT, Adaware, and Spybot

That never works fully because se.dll can't be removed when it's in use

Reboot in safe mode

Disable system restore

Delete c:\windows\temp\se.dll and it's random .dll companion in c:\windows\system

Delete all temp internet files, cookies, history, and temp files.

Reset all ie settings.

Run HJT, delete all about:blank's and rundll32 c:windows\temp\se.dll sp.html and anything else that shouldn't be there

Run Spybot S&D

Run Ad-aware SE

Run that seemly useless About:Buster 4.0 ("outdated", new variants are smarter than this prog)

Open up msconfig and kill the sp startup that corresponds

Open up regedit and delete all mentionings of about:blank, sp.html, se.dll, random .dll that generates in the c:\windows\system, and search assistant uninstall (see above)

Restart PC

Run HJT, Adaware, and Spybot.......find there is nothing left

Enable Spybot S&D's resident helper to block any changes to my registry.

I stopped using IE, disabled all of it's java and activex abilities.

Leave computer alone for a few hours and *POW* it all comes back

Now I'm assuming this is what happens to you to.......so if anybody sees a flaw in this approach, please offer some insight. If not, don't rehash the same old fixes because they are not working on this bugger.

Now the only thing I can think of is that there is a file somewhere. A .dll, .exe, whatever, that keeps redownloading all of this Hijack all over again when you aren't looking.

If we find that, we beat it.

Neowinian

redstalker

Posted
Posted

HELP FOR SP.DLL SE.DLL COOLWEB SEARCH ABOUT:BLANK

Hello everyone!!!

i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..

heres what..

it is a virus.. you have to get rid of it..

all you have to do is to get a kit..

1. download (or if you have) HijackThis and Kill box softwares. well use it later.

2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)

3. close all ie programs.

4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.

5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll / sp.dll/ BHO no name etc.)

6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).

7. reboot you computer

8. press f8 to select command prompt (in windows 98) for xp use startup.

9. type cd windows\temp

10. type del *.* - this will delete all the files in temp folder

11. restart your pc.

i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you.. please send me email if you have questions.

[email protected] / [email protected]

GUD LUCK!!!

Windows XP Pro

My broser keeps getting hijacked by CWS.  CWShredder says its CWS.HiddenDLL and it removes it, or so it says.  Only to come back a efw reboots later.

When doing HijackThis without the CWShredder program, it finds a few problematic entries...

it finds that two of the IE webpages are set to CWS standard page:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html

Then it finds:

O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll

And:

O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll

O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll

Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.

And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.

Now...

If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns.  If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.

After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder.  But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).

I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.

I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location.  But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.

I used RegistrarLite and it said the key size was 0, that nothing was there.

So I'm clueless.  I have no idea how to remove this thing.

Anyone have any ideas?

585456807[/snapback]

Neowinian

wfdragon

Posted
Posted

Redstalker,

Thanks for you post -- unfortunately folloiwng the instructions did not remove the problem. I have the same exact symptoms as Tokar and have tried all the same tricks he has used all with the same result, i.e. it all comes back again!!!

Norton did find the "TrojanStartPage" virus in a couple of suspecious DLL's including "se.dll" I deleted them all, followed the rest of the instructions and at first thought that finally someone figured out how to kill it for good -- but to no avail it was all back less than 24 hours later.

Currently trying the Symantec instructions for removing Trojan.StartPage.G (there are at least 3 versions F,G, and H) -- I'll post the results after 24hrs to see if it really stays away.

Any other thoughts or suggestions on how to get rid of this most insidious pest -- besides reloading the entire OS -- would be greatly appreicate.

WF Dragon

HELP FOR SP.DLL SE.DLL COOLWEB SEARCH ABOUT:BLANK

Hello everyone!!!

i would like to help you with this kind of problem. (please be patient with my english im not that fluent, ok) ive already came up with this, i maintained 3 internet cafe here in the philippines and 5 of the pc's here had the same  problem as yours. i used all kinds of anti spyware and anti-adware but doesnt work..

heres what..

it is a virus.. you have to get rid of it..

all you have to do is to get a kit.. 

1. download (or if you have) HijackThis and  Kill box softwares. well use it later.

2. update your anti-virus software. (i used mc afee version 6. and updated virus def files this february.)

3. close all ie programs.

4. use the killbox software. then terminate RUNDLL32.DLL (the virus uses this file to restore registry entries.) note that terminate it - do not delete this file.

5. use the hijackthis program and delete entries you discussed before (which includes about:blank / se.dll /  sp.dll/ BHO no name etc.)

6. run windows explorer ( anti-virus must turned on) go to the file c:\windows folder, explore all files until your anti virus will notify you that - "??task.dll is a virus" (im very sory i forgot the name of that file which is the virus but as i have said if your anti virus is updated, it will automatically be detected.) same thing to the c:\windows\system32 folder. (but most of the time it was stored in default windows folder).

7. reboot you computer

8. press f8 to select command prompt (in windows 98) for xp use startup.

9. type cd windows\temp

10.  type del *.*        - this will delete all the files in temp folder

11. restart your pc.

i hope youve got it.. again im sory if im not that perfect in english.. i hope this will help you..  please send me email if you have questions.

[email protected] / [email protected]

GUD LUCK!!!

585509071[/snapback]

Veteran

Tokar

Posted
  • Author
Posted

i gave up man.

I backup my files and all and reinstalled.

I have neither the time or the inclination to deal with the problem anymore.

edit: by the way wfdragon...i did the same thing as you...i went to some antivirus library site, and checked out all the variants of this trojan.startpage.win32.XX.

There are quite a few of them. A lot of them are outdated though, and have the obvious executable trojan.startpage.win32.XX.exe. And the directions for removing such was just to stop the process and delete the EXE.

I went through them all, and they made references to a few files i had seen over the period of trying to fix the problem, none of which eixsted during that time when the comptuer seemed fine. None of the directions helped me fix it.

I even used an updated HOSTS file from some site that is over 200 KB and blocks a boatload of ad sites...that did no good as it must be contacting some site thats not on there.

Considering that i was doing this over remote connection software i never got the chance to test out the system with no internet.

Would have been interesting to see if it recreated the file if the internet was off.

Rising Star

Marsden

Posted
Posted

Turn of System Restore

Run msconfig and turn everything off.

Reboot into Safe Mode

Run MS Antipsyware

Check for funny folders on your C:\ drive

In the Windows directory check for files with newer dates and zero info when you hover your mouse over them. Compare the *exe, *.dll, and *.dat files against your windows system files dates. Sort by date and all the crap will be near the top.

Search the C:\windows\system32 folder for the same files as above.

As you delete these files make a note of them and when finished fire up regedit and search for references to the deleted files.

After cleaning your registry with regedit (don't use 3rd party tools to do this)

Reboot into Safe Mode again and run MS Antispyware. You should be clean at this point.

Reboot normally and run msconfig again and turn on only those programs that you know to be valid windows or trusted 3rd party programs.

Reboot your machine and CWS should be completely removed.

Turn System Restore back on.

Veteran

Tokar

Posted
  • Author
Posted

well first off...this thread should be closed, and the posts used for information purposes. I have already solved my problem by formatting and reinstalling.

Neoforcer: that forum post had nothing to do with my problem. Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?

Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.

Neowinian

wfdragon

Posted
Posted

To all -- I'm happy to report that 24 hours later I have not seen any evidence of the trojan returning -- while I still don't believe anyone fully understands what we are dealing with -- for now -- following Redstalker's post and Symantec's instructions on how to get rid of Trojan.StartPage.G (note not all steps found any files to delete) it look like at least there may be a wasy to get rid of the l1ttle pest!! Please let me knwo if it works for you too,

Regards,

WF Dragon

well first off...this thread should be closed, and the posts used for information purposes.  I have already solved my problem by formatting and reinstalling.

Neoforcer: that forum post had nothing to do with my problem.  Did you happen to notice that in that post he makes no reference to the file i had problems with (c:\windows\temp\se.dll)?

Marden: i dont know where you got your copy MS Antispyware from, but mine sure doesnt detect CoolWebSearch.

585520457[/snapback]

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.