Please Help Me Remove Coolsearch.biz

I have recently been infected by a Trojan which has caused all sorts of Mayhem to my PC. After some time deleting newly installed programs I seem to have cleaned up most of the problems. By following the Article "Read Me First Before Asking For Support" I have even stopped the Qhosts.apd virusthat McAfee kept reporting. (It was affecting or creating the hosts then hosts.new file in my system32\drivers\etc folder). I still have a problem with my browser suddenly jumping to the coolsearch.biz web page followed by some rubbish I don't want.

From reading other users problems involving this I think the solution lies in running HijackThis. Having never used this before though I thought it best to ask for advice and even assistance with analysing the log.

I have not run the program yet but will do so and post the log as and when asked to.

Sorry if this is something I should be doing on my own but I've spent the last two evenings trawling through pages of forums, downloading countless programs (on a 56k modem) and generally tearing out my hair trying to sort it out. I feel fairly close to resolving the issue but want to make sure with someone with experience and skill that this is done properly.

Cheers

 

OK

Here is the log file from HijackThis.

I am running version 1.98.2

Also a couple of other isssues - though minor - are that Windows Explorer needs to close after booting up when I go to My Computer folder ( and I think when opening up other folders to but it only needs to close once and after it returns all is well until next boot up). Also the sound of the modem connecting has gone - annoying as it was - even though the modem speker box is checked in the modem configuration.

Thanks Chaslang

 

Hello,
I have the same problems also...

Everytime (after rebooting) I open My Computer, My documents or any other folder ... it says that windows explorer has encountered problems and need to be closed....my home page is hijacked by coolsearch.biz ...
Also I keep getting this http://www.installxxxtoolbar.... on the system tray..

I know it is a messs ( I am running XP Pro SP1 by the way)


I ran every possible tool... HijackThis, Adaware6.0, noadaware, AVG, SpyBot ...all of them but I am still getting the same problem

Please help us...

Thanks.

 

Chaslang,

Having analysed the HijackThis log I fing three lines that I think may need fixing. Could you confirm this with me?

Lines not found in TonyK's or PacMan's lists are:

O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll

O4 - HKLM\..\Run: [Y] C:\documents and settings\chris & sarn\local settings\temp\Y.exe

O4 - HKCU\..\Run: [Uipr] C:\Documents and Settings\chris & sarn\Application Data\opub.exe

I had thought that I deleted Y.exe already but it still appears in the list.
CustomIE32.dll was created on my PC on the day of the mayhem.
I don't remember seeing opub.exe and so am a bit more wary about deleting this one.

Thanks Chaslang

 

Chas,

Sorry about the last post. It seems you beat me to it!

I didn't run Symantec's online scan because I was drifting off infront of the monitor last night and had to get an early start today (I live in UK). When I got home from work today I forgot. Besides all that Anything I do online takes an unreal amount of time since I can't get broadband where I live.

I opened up Task Manager and ended opub.exe
I could not see Y.exe (I ended this yesterday and then deleted the program file - stupidly I was not in Safe Mode though since I had not read up on any forums at that point!)

I successfully ran HijackThis and fixed the 4 lines (The Homepage was actually set to my Yahoo Mail site but I deleted it anyway!)

In Safe Mode I could not find opub.exe, Y.exe or CustomIE32.dll (Is this a good thing or are they now lurking somewhere else??)

Attached is the log file. So far all seems back to normal though I have not exactly tested the system to any extent yet. Windows Explorere did not need to close though which is certainly a bonus.

Finally, even though I sadly do have the disability of slightly reddish hair, where I come from the term Ginger is verging on the offensive. You may have noticed that I called myself the GingerNinja to boost my image as much as I could away from the strerotypical. As such I prefer that I am addressed that way in future

Cheers Chaslang for all of your help!!

 

Just to Update.

Internet browser seems to be completely back to normal.

Chaslang is a Saint.

It is time for me to turn on System Restore for my drives??

Also do you have any idea why the modem speaker now does not work?

Another issue that arose on the day of mayhem is that my QuickLauch bar is not working properly. I can only use the items in the quick launch bar that are exposed and not the ones that are extra!!

I know that these are pretty insignificant issues but as and when you get the time to have a think about them (or refer me to someone else who might know) i would be grateful.

By the way was everything OK with my last post ie. not finding Y.exe in the processes list, etc..?

Thanks again Chaslang

Gingerninja

 

Seems our posts cross again Chaslang!

Yes - I have show hidden files
Yes - I have show extensions
Yes - I used Windows explorer (I could'nt actually find Windows search which I was going to use as a secondary method after not finding the files by going to the respective folders)

 

Chaslang,

Please explain to me - in laymans' terms - about how to see what command string is being sent to the modem.

Also I did mean "the ones hidden from view because there are too many?" when I said "the ones that are extra"? re:- Quick Launch bar.

I think McAfee Virus Scan actually cleaned the trojan which was lying in System32\drivers\etc. and everything left in its' wake has been sorted by the recommended programs and your goodself! At least that is the way I see it.

Thanks for your info on Windows search. I must admit I hardly ever use it but when I do I now know how. by the way - why could I not see Windows Search when in Safe Mode. And since we're on the subject yesterday when in Safe Mode with Networking I could not fing my internet network connection. Why was that? I could see my LAN connection.

 

I use OneTel as my service provider. They sent me the program that I use to get online. I think I have found the place to set up the command string.

It is under the Diagnostics Tab of the Compaq Data Fax Modem Properties menu.

It allows to Query Modem then shows a section of Command follwed by Response.

Is that it???

By LAN I meant the connection that I use when connecting to other computers in the house when there are any - ie. not of any relevance to thie issue in hand and I should never have mentioned it!

To be perfectly honest Chaslang the modem thing does not bother me. In afact I rather like the fact that the modem dials up silently now!!

What is more of an issue is the fact that the QuickLaunch bar is not functioning as it used to.

It is getting late for me over here in the UK though, and I have another early start in the morning and so I'm about to log off. I would appreciate your view on the QuickLaunch subject though and will look for your response in a couple of evenings time.

Thanks massively Chaslang for your time and help with my problems.

A tired but releived GingerNinja Signing OUt

 

Still here - just!!

Yeah. That's the problem. I can't expand the view to reveal the hidden icons. It just won't let me! The double arrows are there which hint that there are more icons to be found but nothing opens up.

When I right click over the QuickLaunch bar and select Open Folder I see four items. I cna only see three on the bar though. Incedentally the OneTel shortcut is actually in Blue. Is this some indication that it has been changed at some point recently??? Is this at all relevant??

 

Left

All has been working fine until the Trojan hit.

 

Done

Now what?

 

I can expand it to show all icons on the bar Yes.

I could not activate the arrows though to reveal the extra hidden icons which it what I would prefer to do since the more icons on the bar the less space there is for other stuff like windows and stuff

 

Still did not work and have now managed to get the taskbar twice as tall as it used to be. Don't know how or how to return it to "single storey"!

It's getting late and my brain is falling asleep

Sorry

 

Thanks Man

Speak Later