Can't remove coolWWWSearch (hijacker)

i have tried everything to remove spyware including all the steps you have listed and tried all the antispyware removal tools. when i try to remove some dodgy items on the hijack this program they reappear as soon as i perform another scan. help. this has been going on for weeks and i am tearing whats left of my hair out

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

please help

 

First:

The first thing that I need to point out is that your Operating System is way out dated. After we get your system clean I would recommend your going to Windows Updates and getting updated. I would recommend installing Windows XP Service Pack 2 so you will have the latest security patches.

Second:

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\stsheets.dat


Third:

While in Safe Mode download and run the following tools:

CWShredder 2.13

CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval

Note: Run the SmartKiller if you have any problems running CWShredder.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

still hangin in there. log attached

 

Do one last scan with HijackThis and Check the Box for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)

Again, make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you do the above, reboot and tell me how things are running and if your having any furhter problems.

 

when i fix this line it is back immediately when i rescan.

 

Please allow me some time to post you a fix.

 

Hi Seve,

BJ asked for a second pair of eyes on this one, so, to help ID this baddie, please do the following:

Please unzip and run the RegSrch Tool I attached below.
Please make sure that your Anti-Virus app does not have Script Blocking enabled. If so, disable it to allow the tool to run.

Please enter the following into the Search Box: stsheets

Please save the results of this search and attach them.


Then, please unzip and run the Locate.zip Tool I attached below.
DoubleClick on the locate.bat to run it and attach that log.

Let's see what the two logs have to say and go from there!

PP

 

thanks for all your help guys. Unfortunately for some reason i cannot download any files from the net so i can't even try your latest solution (think i have deleted somethin i shouldnt have while tryin to get rid of this beast). i think ill probably go back to basics and format my drive and reinstall. But i appreciate very much your time and effort.
Cheers

 

Sorry to hear that - These tools can ID this baddie! You should check to be sure your Hosts File has not been corrupted - Often occurs with this baddie. That could affect your ability to connect or download from a number of sites.

Should be C:\Windows\system32\drivers\etc\hosts

PP