I cannot get rid of CoolWebSearch, need some help.

Please do not refer people to download programs from other sites when they are available on MG's.

CWShredder is available here: CWShredder

Also the user has already indicated that the READ ME FIRST sticky has been followed. CWShredder is included in the sticky. You need to read our sticky threads yourself to familiarize youself with their contents.

Also, if the problem is a true about:blank or HSA hijacker form, CWShredder will do nothing to fix it.

 

iamPatrick,

Please follow the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

I see no signs of the online scanners being run. Did you skip them? Did you skip anything else?

You do not have an HSA or about:blank hijacker problem.

 

You have a couple of Trojan.StartPage.O problems

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\xmllib.dll
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Both Trend Micro and Symantec. They leave traces that would be seen in you HJT log. However, if you ran the Java version of Trend Micro it will not leave any trace.

Post your Ad-aware log. It is probably just minor registry keys.
You do not new HSremove. You do not have the hijacker. Also HSremove will always show 8 items removed, even on a clean system and even after running it many times. It is a bug that has never been fixed.

Complete the steps in my previous post.

 

You need to get the processes closed or you cannot delete the files. Try booting into safe mode and ending the processes. Select both of them at the same time with HJT and then select Kill. Then fix the O4 lines and delete the files. (don't forget the DLL) See if that works.

 

If you have a c:\windows\hosts file, delete it while booted in safe mode.

The Ad-Aware message about C:\WINDOWS\System32\wbem\logs\wbemess.log is really a false positive. This is just a log file. There is nothing to be worried about from it. wbemess.log is on all WinXP systems.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixcws.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixcws.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

This is not the about:blank or HSA form of the hijacker

 

If you still could not delete the problem files and HJT lines in safe mode, try the below steps.

Download Pocket KillBox and extract it to its own folder.

IMPORTANT: Now print these instruction or copy them locally. I want you to run all of the below steps while physically disconnected from the internet. Do not reconnect until I say to do so. And do not open a browser until I say to.

OK! Disconnect now before continuing.

Now run killbox.

Now, Copy and Paste C:\WINDOWS\xmllib.dll into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

Now, Copy and Paste C:\WINDOWS\System32\SMSSU.EXE into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

Now, Copy and Paste C:\WINDOWS\System32\Tmntsrv32.EXE into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes and allow Killbox to reboot your PC.

If you get an error message about "Pending Operations" just reboot your PC yourself.

Now get a new HJT log.

 

Make sure you do what is in both message #12 and #13

 

Tell me what happen while doing message number 13. Did killbox complain about anything? Did it actually locate the files?

Try doing the below after booting in safe mode:

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\xmllib.dll
then click OK. If a dialog box confirming this action appears, click OK.
If you get an error message, tell me later and continue.

Run the steps from message number 13 again while in safe mode. Let me know if killbox gives any error messages at all. Also does it find the files (when it finds them, you will see the file name in blue).

 

Also tell me if you see any of the below files:

c:\windows\explorer32dbg.exe
c:\windows\iexplore_dbg.exe

 

Also look for these and let me know if found:

C:\Windows\Atlass.dll
C:\Windows\System32\ALGU.exe
C:\Windows\System32\SPOOLSV32.exe

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixtsp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixtsp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Then do the steps with killbox again but add two more files to the procedure (at the top)

Now, Copy and Paste c:\windows\explorer32dbg.exe into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

Now, Copy and Paste c:\windows\iexplore_dbg.exe into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

 

Did you enter: c:\windows\explorer32dbg.exe and c:\windows\iexplore_dbg.exe
Or did you enter c:\windows\explorer.exe ?

Hit CTRL-ALT-DEL to bring up Task Manager and click on File, New and enter explorer.exe and click OK. Does that work and bring back your Desktop.

 

Do the same thing with to bring up Task Manager but enter the full path to the file:
c:\windows\explorer.exe

How are you looking for files if explorer is not running?

 

Are you running Internet Explorer from this problem PC in order to come here?

 

From Task Manager, enter cmd and click OK! Does a command prompt window open?

If so enter the below and tell me what happens:

cd c:\i386

dir explorer.*

 

Okay! Now type the below and tell me if what it says.

expand explorer.ex_ c:\windows\explorer.exe

 

Now at the command prompt type:

explorer.exe


What happens?

 

Go back and do the below again (notice it is slightly changed to make a copy in the i386 folder);


expand explorer.ex_ explorer.exe

Now enter:

explorer.exe

Does that work?

 

Note these problems we are having are all due to the infection you had. It attaches itself to explorer.exe and iexplore.exe (that Internet Explorer) and that's why we were having problems removing it.

 

If you type in regedit and hit enter does the registry editor open.

 

Okay! That's good. Are you familiar with using regedit?


Does your prompt currently say somethings like:

c:\i376>

If so, type

dir explorer.*

do you see explorer.exe in the list and what is the file size.

 

Type in the below:

copy explorer.exe myexp.com

Then type:
myexp.com

Does that bring up an explorer shell (desktop)?

 

Do you have any way you can put the below quote box text into a file named fixtsp.reg and then get it copied to the problem PC. Perhaps a floppy disk?

 

Are the below files actually gone now?
c:\windows\explorer32dbg.exe
c:\windows\iexplore_dbg.exe
C:\WINDOWS\xmllib.dll
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

 

That means they are all there. Those are the shortened DOS names. If you use that explorer window that opened I would expect the full name to appear.

Bring up Task Manager again and then Processes. Find Explorer.exe , Highlight it (if running) and End Process. Ignore the warning. This would make your desktop disappear if there is a desktop. If you see any of these files in the process list then End them too.

explorer32dbg.exe
SMSSU.EXE
Tmntsrv32.EXE
iexplorer.exe
iexplore_dbg.exe
iexplore.exe

Now from the command prompt Window you need to be in the folder where you saved the fixtsp.reg file. It would probably be easist if you had copied it to c:\i386 where we were last working. Then enter the below command.

regedit /s fixtsp.reg

Then run pocket killbox and have it fix all of those files again. The list is below:

c:\windows\explorer32dbg.exe
c:\windows\iexplore_dbg.exe
C:\WINDOWS\xmllib.dll
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE

Let me know how that works out. I need to get some sleep now. It's 3 am here.