Adware (CoolWebSearch?) giving me fits!

Started getting Pop-up ads in IE6 going to Google. No problem with other search sites or using other browsers. In general, computer running slow, Hourglass lingers longer than usual on desktop and Windows explorer. On reboot, get "updating configuration files". Ran Ad-Aware, Spybot, CWSredder from safe mode. Ad-aware shows CoolWebSearch. Also add/remove shows "shoppingwizard","offer optimizer", and "CasProg"

Followed the Major Geeks "How To: Spyware, Trojan and Virus Removal" ...
Didn't help.

Will post HijackThis log file if anyone will look at it.

Please (before my daughter kills me )

 

Post your log as an attachment if you have completed the spyware tutorial.

 

Here's the hijackThis log file from last night.

Thanks for looking...

 

lewism,

You have some pretty rough problems in your HJT log. Lets start by doing another type of virus scan. Follow the below...

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you have completed the scan reboot and post a fresh HJT log.

 

Downloaded Sysclean
Link to Patter.zip didn't work, so downloaded LPT677.zip directly from Trendmicro.
Ran program. (locked up 1st time - crashed computer and rebooted - ran ok).
Windows app ran fine, errors on dos app on 12 files.
Found no viruses and cleaned none
Rebooted and new HJT file is attached.

thanks...

 

Before we continue, they are several infections remaining so lets try to clean a few of those up first.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you complete the above, reboot and attach a fresh HJT log.

 

Ran TrojanHunter. It deleted 60+ files. Was suspicious of winwa32.exe and atlqa.exe but didn't delete them.

Here is my HJT log file just run (Sat. 1pm)

Edit by bjgarrick: Inline log attached!

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {70ACA3EC-5283-6210-D629-D008B102D9B8} - C:\WINDOWS\SYSTEM\MFCED32.DLL

O4 - HKLM\..\Run: [WINWA32.EXE] C:\WINDOWS\SYSTEM\WINWA32.EXE
O4 - HKLM\..\RunServices: [CRDE.EXE] C:\WINDOWS\SYSTEM\CRDE.EXE /s
O4 - HKLM\..\RunServices: [SYSFM.EXE] C:\WINDOWS\SYSTEM\SYSFM.EXE /s
O4 - HKLM\..\RunServices: [JAVAQZ.EXE] C:\WINDOWS\SYSTEM\JAVAQZ.EXE /s
O4 - HKLM\..\RunServices: [IEGI.EXE] C:\WINDOWS\IEGI.EXE /s
O4 - HKLM\..\RunServices: [APIJX32.EXE] C:\WINDOWS\APIJX32.EXE /s
O4 - HKLM\..\RunServices: [CREK.EXE] C:\WINDOWS\SYSTEM\CREK.EXE /s
O4 - HKLM\..\RunServices: [JAVALP.EXE] C:\WINDOWS\JAVALP.EXE /s
O4 - HKLM\..\RunServices: [NTBX.EXE] C:\WINDOWS\SYSTEM\NTBX.EXE /s
O4 - HKLM\..\RunServices: [IEIE.EXE] C:\WINDOWS\IEIE.EXE /s
O4 - HKLM\..\RunServices: [JAVASM32.EXE] C:\WINDOWS\JAVASM32.EXE /s
O4 - HKLM\..\RunServices: [MSIY.EXE] C:\WINDOWS\MSIY.EXE /s
O4 - HKLM\..\RunServices: [WINCG.EXE] C:\WINDOWS\WINCG.EXE /s

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(These were added from Spybot S&D or Ad-Aware, these will need to be removed)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\SYSTEM\WINWA32.exe

C:\WINDOWS\SYSTEM\MFCED32.dll

C:\WINDOWS\SYSTEM\CRDE.exe

C:\WINDOWS\SYSTEM\SYSFM.exe

C:\WINDOWS\SYSTEM\JAVAQZ.exe

C:\WINDOWS\SYSTEM\CREK.exe

C:\WINDOWS\SYSTEM\NTBX.exe

C:\WINDOWS\WINCG.exe

C:\WINDOWS\IEGI.exe

C:\WINDOWS\APIJX32.exe

C:\WINDOWS\JAVALP.exe

C:\WINDOWS\IEIE.exe

C:\WINDOWS\JAVASM32.exe

C:\WINDOWS\MSIY.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.