Help removing Cool Web Search trojan

I seem to have a new CWS variant that is not being removed by the posted process. I got the thing by clicking on a link to a supposed electronic greeting card that looked legitimate. McAfee identified the trojan but was unable to stop it from doing its thing.

I followed the instructions on your site, and several of the programs identified CWS and said they removed it, but it wasn't really gone. I ran through all of the cleaning steps again and here are the results:
Housecall found nothing
Symantec found hacker exposure, nothing else
Stinger reported clean
CCleaners removed about 2Mb of temp files and reports XPSP1, P3 mobile 1Ghz, 318 ram, FAT32
AdAware reports 13 processes, 494 process modules,
0 critical new objects
13 negligible objects, all MRU lists, all were removed
SpyBot reports no immediate threats, all known bad products already blocked
CWShredder reports no infections
Kill2Me reports no signs of infection
AboutBuster reports Attempted clean of Temp folder after both scans.
(reboot) to allow Explorer to work again
HSRemove reports 8 items removed, complete. I ran it again and it reports no items
Trojan scan reports no trojans found.

A reboot to normal mode results in Explorer home page being hijacked immediately.

I also have an evaluation copy of SpySweeper which reports the trojan and attempts to clean it, but is not successful. It finds the registry entries for the default page and the home page and as soon as it cleans them the trojan puts them back. This happens within 2 seconds of them being cleaned.

I also have a evaluation copy of XofSpy which reports the trojan Troj/AnaFTP-01, which it claims has hijacked the file c:\windows\rundll.exe. Since I haven't purchased the program, it won't let me clean this. I'd be fine to spend the $30 for the program if it would clean it, but since several of the other programs unsuccessfully claim to have cleaned it, I'm reluctant.

Apparently, this thing hides somewhere that these programs are not looking and they find the results but not the cause. I need help.

 

Log is attached. Thanks for your assistance.

 

Ruby,
Your log didn't make it. Try attaching again.

 

here it is again.

 

Success!!! Many thanks for your assistance!

Before your post, I had actually gone through and cleaned up some of it using HijackThis - as follows:
attempting to remove the KH's to the bogus page did no good, as there was a program that repopulated that about every second. That program turned out to be "bgnajd" Attempting to remove this took two trys with HJT, but after this, I had control of the browser again! I had also removed 'systime' etc. during this process.

After getting your post, I also removed "fmifs" and "winspool" This has no apparent affect, which tells me that they were doing some snooping that was not visible.

Things are working as I think they should now.

I do have one quesiton based upon the new HJT log - is it your suggestion that I keep both Spybot and SpywareGuard running at all times?

Again, many thanks for your assistance.

 

Chaslang,
I have tried 4 times to remove that BHO line, and HJT has deleted the associated file, but won't delete the line. Do I need to manually edit the registry?

Thanks for your help.

 

Chaslang,

Ran Registrar Lite as you specified. For AppInit_Dlls, The Value field is blank - nothing in it.

 

Chaslang,
Here is the address:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\{41FA6572-9266-29C0-8750-10550F822C1C}
The Value field is empty (blank)

BTW, every time I boot, Spybot asks the same questions about whether its okay to really delete the things that I changed like browser start page, etc. How do I get it to accept those changes and not make me answer the same question every time I start the computer? (This has happened the last 3 times I started the computer.)

 

I deleted the key as instructed. New log is attached. All appears well.

I turned off TeaTimer and that caused the boot-time messages to go away. I was answering to accept the changes, because not accepting them would have resulted in Spybot attempting to revert to the bad (hijacked) pages.

Your assistance has been greatly appreciated, and I hope that this information is helpful to others in the community. Thanks!

 

not quite..
I see this
C:\WINDOWS\System32\fmifs.exe

that is not a known EXE. looks like it's mutating again.

 

Good catch. I think I may have inadvertently allowed it back by responding incorrectly to one of the Spybot questions about allowing changes.

Anyway, my weekly McAfee VirusScan happened last night, and McAfee identified that file as being infected with the 'downloader' virus if I recall the message correctly and had deleted it. A new HJT is attached, which I believe shows that it is really gone now.

Thanks again!

 

i don't see anything this time around..