Hi legatobluesummers
Some variants are extremely stubborn, and can replicate themselves
repeatedly if not removed properly.
Try the information below and follow the instructions carefully. Read
through all the information first so that you will know what you need to do
and how
How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch
then.....
Also be sure to use the HijackThis. Please DO NO post your log to this
newsgroup, but to one of the HiJackThis Support Forums below:
http://www.hijackthis.de/forum/forumdisplay.php?f=10&guestlanguageid=4
the Aumha HiJackThis forums
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forums
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of the
necessary steps to clean your system.
(Note: To avoid having your log deleted or ignored, you *must* do the two
things listed here:
(1) Don't post a HijackThis log until you have already done preliminary
scanning of your system for parasites. I recommend you go to QuickFix page
on this site -
http://aumha.org/a/quickfix.htm - and run all steps
indicated, exactly as specified. Make the HJT log your last step, then post
to one of the sites above if you are still having problems.
(2) In your post, please specify what precleaning you have done, and specify
the problem that is prompting you to run this log in the first place.)
Then......
New ABOUT:BLANK CWS variant removal tool:
Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.
YOU USE THIS PROCEDURE AT YOUR OWN RISK!
Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml
Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.
Write down the name of the DLL file that's displayed!
(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)
Exit Registrar Lite.
Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS Shield Dropper.vbs
Download Silent Runners here:
http://www.silentrunners.org/Silent Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!
(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)
Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS File Cleaner.vbs
Reset your Internet Explorer home page. Your PC should now run normally.
CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.
Also, get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also
From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
also ....
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or ........
Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip
Also.........
Courtesy of Jim Byrd -
Download Sysclean.com, from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp
Be sure to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
You might also want to get Art's updater, SYS-UP.Zip, here for future
updating of these:
http://home.epix.net/~artnpeg/.
(If you download and use the updater from the beginning, it will
automatically handle downloading the other files. Place them in a dedicated
folder after appropriate unzipping, and then run. This scan may take a long
time, as Sysclean is VERY extensive and thorough
and......
NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again in Safe Mode to be
sure there are no lingering items on the system.
If these steps do not resolve your problem, or you need help with the above,
please post back to this thread with the details and any error messages.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm