• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Coolwebsearch

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

dreamtfk

Member
Joined
Feb 1, 2002
Location
Orlando FL
I cannon get rid of this crap no matter how hard I try. I have used many programs cwshredder, s&d, ad aware, giant antispy, hijack this and have also ran everything in safe mode. Every time I remove cws it just reinstalls itself, this is by far the nastiest spyware/browser hijacker Ive ever had on my system. I could really use some help on this one... :-/
 
What version of CWShredder are you using?

I would go into safemode, and clear all contents of all temp folders by going into the local settings folder for each user. Then I would run CWShredder, then run hijackthis to ensure there are no reg entries which are reobtaining the CWS files. Post the HJT log here after running shredder so we can make sure everything is definetly clean. Before restarting then, I would update spybot and adaware and run those.

After that, if it returns, we can be certain that this is a new CWS version which the now somewhat dated CWShredder does not detect or fully remove. In that case, we can move on to manual removal.
 
Like said above, go into Safe Mode. Delete all temp files for each user(Temporary internet files and the files in the temp folder). Run Ad-aware, Spybot, Hijackthis, and CWShredder. Then before you restart, run msconfig and check the system.ini & win.ini for suspicious entries. That should get rid of it all.
 
i had the same problem

this will entail editing the registry don't do this unless u no wot u r doing !!

go to local machine > then Software > microsoft > windows > run
delete anything to do with my websearch or coolwebsearch

then do the same again for local user >soft.. > micro ...> >run etc

after both of these have been done do again but go to run once

hope this helps
 
HJT automates that process basically... It will scan to find these entries and if you check one of the results the registry key will be removed. ;)
 
HijackThis however doesnt do anything with the System.ini or Win.ini files. I have found this to be a problem. I have seen many instances where these had executables that ran at startup and they would reinstall the Spyware/Virus I was trying to get rid of. We need a single program that will do what msconfig, Adaware, Spybot, Hijackthis, and CWShredder do.
 
Ok in safe mode I emptied the internet temp folder and the windows/temp folder. I ran the programs in this order: cwshredder (nothing) Spybot (3 dso exploits) ad-aware (the same coolwebsearch reg entries as usual) and then Hijackthis (log created) I noticed however when I ran Hijackthis again in regular startup that there were 2 entries (easysearch.biz) that were not shown in the safe mode scan. I should also note that ever since I have had this problem I have been unable to use Notepad, only wordpad.

Logfile of HijackThis v1.98.2
Scan saved at 8:44:43 PM, on 11/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINDOWS\stisvsq.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\iau.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\svshost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/044da229e5871a985201/netzip/RdxIE601.cab
 
You have some considerable problems judging by that log. I would guess that you probably cannot access many popular AV sites. Found many examples of many of the things you have, many of which I think relate to easy-search.

Fix these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

After fixing those, delete these files - these files may be engaged and the processes may not shutdown if you end task, so you may have a hard time deleting them. Restarting in safe mode may make this easier:

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\svshost.exe

Then reboot and post a new log for us. Those are the glaring problem, there may be more going on but this is a start.

Lssas (agobot or gaobot) and svshost (Worm.P2P.Spybot.gen) and mservice (Downloader.Win32.Small.bj) are trojan infections. Mservice invited his buddies msqdevl and stisvsq over for the party at your place.
 
I dont know what to do, it just wont go away. I deleted all the entried you said and the files you said in safe mode and then restarted now they are all back again. I went into regedit my self and checked the reg key that ad-aware keeps referring to as Coolwebsearch and found that I could not manually delete the key (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3) Here's the log again, as you can see it just keep re-registering itself in the registry and all the /windows files I deleted have returned as well.

Logfile of HijackThis v1.98.2
Scan saved at 7:46:36 PM, on 11/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Utilities\HijackThis.exe
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/044da229e5871a985201/netzip/RdxIE601.cab
 
You will need to have all temp files cleared when doing this and system restore turned off.

Add these entries to the previous list and try again:

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/044da22...ip/RdxIE601.cab
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local

If this does not work still, I suggest you go over to majorgeeks.com and post on their forums about it - there is a member there who will help you, and he is very good - Chaslang. You can mention that I sent you over, and they may remember me. I've visited a few times and helped them with a few sticky details. ;) They may have more experience with this problem.
 
tom10167 said:
mservice.exe - Trojan
msqdevl.exe - Trojan
stisvsq.exe - Trojan
iau.exe - Trojan

So should I run an AV program? I have Norton 2004 on CD. I know for a fact however that I have coolwebsearch on my computer.
 
I don't know if you noticed, but I mentioned that those were trojan infections - they are all documented well by symantec and mcafee, so you could attempt following their removal instructions - I thought we might get lucky and be able to just cut out their guts with removing these reg entries and the associated files. Here are the names I mentioned earlier of the infections if you want to start hacking away at them:

Lssas (agobot or gaobot) and svshost (Worm.P2P.Spybot.gen) and mservice (Downloader.Win32.Small.bj) are trojan infections. Mservice invited his buddies msqdevl and stisvsq over for the party at your place.

Personally, I'd try to get an updated virus scan running and see if it could clean it first. The problem is, these things might try to prevent you.

If you aren't running AV protection, I probably wouldn't have bothered trying to help you in the first place. :D Yes, you need to run an updated antivirus scan, and you need to download windows updates.
 
I was running Norton 2004 but it started crashing my computer so I uninstalled it. I am unable to update it because my internet is screwed up again because of this virus/spyware whatever. My connection is good because I am able to download with p2p programs I just cant view any web pages.

I'm starting to think I might have to just reformat my HDD :(
 
Get AVG antivirus 6.0, or the 7.0 trial. Free and it will pwn the viri, just hold F8 on bootup and boot into Windows via safe mode with networking. Then scan-away.
 
Well it seems rebooting into safe mode, clearing all temp files disabling system restore and then running AVG and Ad Aware did the trick, lets just hope it holds.
 
Back