CWS mess and Spy sweepers going berserk!

Hello to one and all,
I've used insructions from this sites stickeys on past occasions with good results to remove CWS but this time it keeps coming back and seems more 'rampant' than before.

Followed all the instructions in the "How to: Spyware, Trojan And Virus Removal" stickey except the two online scans (6 hours untill finished and still going up??!!). All downloaded programs were put in a C:\spyware tools\..... folder.

Ad-aware, HJT throw up a load of stuff to be 'fixed' but it's back at the next re-boot.
Spy Sweeper is going mental with start up, IE favorites and hijack warnings which keep re-appearing after a few seconds and there are pop ups every where.

I'm sure that I've done everything as instructed (three times now) but with no result.

Im using XP professional v2002 with sp2 on an AMD athlon.

My 'on-line' time will be a bit disjointed over the next few days but your help is much needed before I shoot the PC to bits!!!!!!!

Thanks in advance,
Simon.

 

OK, did all the above including the online scans which threw up around 30 items (report for both can be provided if needed).

A few things which could be important -

I couldn't connect to the internet in 'safe mode with networking' so did the on line scans in normal mode.

SpyBot couldn't fix "CoolWWWSearch.home search" file C:\windows\uruhq.dat even after re-booting twice in both normal and safe start up mode.

service.msc - RPC helper isn't running (? - the status and start up columns are blank) but when I clicked properties it gave me the following warnings; "configuration manager : a required entry in the registry is missing or an attempt to write to the registry failed" and then "the system cannot find the specified path".

Spy Sweeper is still going ape poo and it's pop up city over here I can tell you.

A stupid question - can I still use the internet and e-mails as normal or should I limit my use to only this site as I have been doing?

HJT log attached with nothing 'fixed'.

Many thanks for your patience and help,

Simon.

 

Thanks for the reply,

I ran CCleaner first after booting in 'safe' mode as per the sticky instructions.

Killed 'C:\WINDOWS\ierm32.exe' process and fixed all the others with HJT.

"O4 - HKLM\..\RunOnce: [addye32.exe] C:\WINDOWS\system32\addye32.exe"

wasn't in the log but about 5 other 'run once' lines were which were the same as those thrown up by spy sweeper so I killed em any way.

Rebooted.

Deleted the two files as told.
Ran CCleaner.

Ran HJT (log attatched)
Spy sweeper then threw up some more stuff so ran HJT again and have also included this log (hijackthis after SS kicked in.log) as its different from the first. Didn't try to fix anything from this log.

Spy Sweepers still giving me the orange wink but no popups so far.........

Many thanks,
Simon.

 

Thanks again for the replies.

Did everything as told in post #8 -

C:\WINDOWS\system32\ntrw.exe (RPC helper) is now disabled.

C:\windows\addvj32.exe wasn't present in the HJT process manager window.

With the HJT scan the following didn't show up -

O4 - HKLM\..\Run: [addvj32.exe] C:\WINDOWS\addvj32.exe
O4 - HKLM\..\RunOnce: [iexg.exe] C:\WINDOWS\iexg.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) -
Unknown owner - C:\WINDOWS\system32\ntrw.exe" /s (file missing)

None of the following for deletion could be found -

C:\WINDOWS\addvj32.exe
C:\WINDOWS\iexg.exe
C:\WINDOWS\system32\ntrw.exe
C:\Documents and Settings\simon\Local Settings\Temporary
Internet Files\Content.IE5\QISNSOVR\SFUninstaller[1].exe

(after doing a 'search' for the files it showed up .pf files of the same name in the c:\windows\preftech folder (whatever that is). Needless to say I didn't touch them...........

ewido log and HJT log attatched.

Cheers,
Simon.

 

Did as instructed in post #11

HJT log attatched.

IE running slow and SS still throws up around 10 startup shield warnings and home page/hijack warning.

Can I now delete the move.reg file from the desk top as I cant seem to see my wallpaper due to all the crap I'm gathering there?

Many thanks,
Simon.

 

D3m3nt3d - everything in the ".....\preftech" folder is now toast
Left the folder itself in place.

Simon.

 

Did everything as in post #15 - log attatched.

SS hasn't popped up in, ohhhhhh, must be about 4 minutes now - could this be the end of my troubles and could it be safe to put my 9mm back in it's holster now?

Simon.

 

Forgot to add - the C:\Windows\Prefetch folder was empty.

Simon.

 

Cheers d3m3nt3d but I have a stoopid question, what is 'smartfinder'?
I presume it's a search bar type thang - if it is then 'orf with it's head!' but I want to be sure before I remove it......

Simon.

 

HJT couldn't find 'Smartfinder uninstall' so I disabled 'SFUninstaller[1].exe' with 'services.msc' - is this ok/enough?

Latest HJT log attatched.

Simon.

 

OK, done and dusted (the NT service was under the name 'SmartFinder_Uninstall').

D3m3nt3d (and Chaslang), many,many thanks to the both of you!!!!

Mission acomplished

Have a cigar.

Again, thank you for all your time and patience.

Untill the next time ................

Simon.