Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi,
I've been having recurring problems with the coolwebsearch malware thing - I keep following various instructions to get rid of it, but it just comes back again and again.
I've update Windows, run AdAware and two versions of CWS Shredder. The first, which I thought was the latest for ages, kept removing something called CWS.yexe, but it keeps coming back (normally it redirects whatever internet site I'm on to a porn advert, and I get a porn link on my desktop - although sometimes this calls itself fethard_too - plus the WebSiteViewer folder).
The second - v2.12, I think this one is the latest - will scan for the CWS files fine, but when it gets to CWS.yexe, a box pops up saying that 'this programme has performed an illegal operation and will have to be shut down'. Which obviously doesn't get rid of anything.
Help! Many thanks in advance.
M
Give Spybot S&D a try. It should work for you
Make sure to up-date it before using it.
1-Check for problems
2-Fix Problems
3-ImmunizeIf that doesn't work, try Hi-Jack This then copy and paste the results into Hi-Jack This analyzer
DON'T delete anything you are not sure of.
Make sure to make a folder in your program files and open Hijack This from there. That way it will keep a backup of what you are fixing in Hijack This, in case you delete the wrong thing. Post back if you need any more info.
If you need a simple solution, try mine. I try to give advise on things that have happened to my PC. Glad to have a chance to help you.
0 
Mia, you may have one of the worst, it's the CWS hijacker. What happens is the evey time you reboot your computer, the spywware renames itself and is thus extremely difficult to trace. Your computer is not in immediate danger, its just a super pain.
Do not use the HiJack This Analyzer; it is very undependable, and will target entrys that are legit, and will miss some that are spyware. AdAware and Spybot will not kill this infection, and Cool Web Shredder might, but its iffy.
Go to this link, and post your HiJack This log. Don't forget to move HT into its own folder, do not run it from Temp or rootC drive. These guys will help you, just be patient because its close to Christmas and they may take a day or so. OR they may be quick.
Link:http://www.suggestafix.com/index.php?s=1953674d90d1b695f450a5d5fb3cc7ce&act=SF&f=15
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime;
Then industry pollutes the water and kills all the fish.
0
I tend to disagree with Ranchhand. I've used those progs on many machines and I'm sure I explained making a new folder.
ThanksIf you need a simple solution, try mine. I try to give advise on things that have happened to my PC. Glad to have a chance to help you.
0
But I do agree with him when he says let someone else that's knowledgeable help figure out the nasties. Also, at one point after using the analyzer...I forgot about my backups and just did a system restore, and all was fine.
If you need a simple solution, try mine. I try to give advise on things that have happened to my PC. Glad to have a chance to help you.
0
Thanks so much guys.
I tried SpybotS&D - it didn't work unfortunately. I've posted my HijackThis log on the forums you suggested - hope they can do something, it's making the computer run rather slowly.
ranchhand, the CWS hijacker sounds exactly like what I have - every time it does its thing, a different icon appears on the desktop - sometimes a porn one, sometimes fethard_too.
I got Cool Web Shredder 2.12 to work (don't know how) - it said it managed to remove CWS.yexe, but when I turned the computer on again it was still here.
I'm not sure I understood the whole 'creating a new folder' thing... I created a new folder in Program Files and created a shortcut to HijackThis in it, then opened the program from there... was that right?
Thanks again, you're stars.
M
0
hi mia,
lets try this:
disable your system restore to flush out your restore folder of any malware.
then go online and get all the latest defs for any program that you are using such as your anti-virus, spybot, and adaware.
once done, reboot and go to safe mode.
in safe mode scan with all of these, and delete all files they come up with.
also clean your temp internet files, temp files, cookies folder and history folder then clean your recycle bin.
next go to hijackthis and do a scan and put a check next to these entries:
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.exe
O4 - HKCU\..\Run: [Shareaza] "C:\PROGRAM FILES\SHAREAZA\SHAREAZA.exe" -tray
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.exe
O4 - HKCU\..\RunServices: [Shareaza] "C:\PROGRAM FILES\SHAREAZA\SHAREAZA.exe" -tray
O4 - HKCU\..\RunServices: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1,194.168.4.100,194.168.8.100
for the last one (17) call up your isp service company and check to see if that address corresponds to yours if not delete it.
next go to start button, then run, type in services.msc and do a search for the files:
MSXMIDI.EXE
SHAREAZA.EXE
cws.yexe
they could be in any of the services so be vigilant and when found disable that service.
next reboot back into normal mode and do a search for the same files and when found delete them.
re enable your system restore and do another scan using all of your armory.
all the best,
merry christmas
murve
0
Unfortunately this .net forum just is not set up for this kind of help. I can read a HiJack This log, but I am out of my league with the morpher. It doesn't play fair. :0) I notice in your log you also have the LOP infection, so they will take care of that also.
You will be fine, just sit tight and someone will be along shortly.Yankanuk: Guy, I apologize if I came on like Tarzan; your suggestions were helpful and good and I'm sorry if I could have commented a little more tactfully.
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime;
Then industry pollutes the water and kills all the fish.
0
no problem ranchhand,
yankanukIf you need a simple solution, try mine. I try to give advise on things that have happened to my PC. Glad to have a chance to help you.
0
Hi Murve, my best to you...
You might want to be careful about deleting that 017 entry; if I am not mistaken that is a LOP infection in her stack. Overtly deleting that file will break her internet connection and will be very difficult to repair.
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime;
Then industry pollutes the water and kills all the fish.
0
Mia,
Here's a page on how to install and use Spybot, you said it wouldn't work for you.http://ict.cas.psu.edu/training/howto/util/InstallConfigSpybot.htm
If you need a simple solution, try mine. I try to give advise on things that have happened to my PC. Glad to have a chance to help you.
0
murve - forgive me, I am not hugely computer literate - how do I disable my system restore? And how do I go into safe mode?
yankanuk - thanks - I didn't have a problem using Spybot though, I just meant that it didn't get rid of the malware.
0
hi mia,
just noticed you are using win98.
disabling system restore is a no go.
what you must do is get latest defs and go directly to safe mode.
sorry for the inconvenience caused, and be sure to find out about the no. 17 in your hijackthis log, please read what ranchand has to say about it above.
all the best to you and to all the guys here trying to help.
murve
0
Hi Murve.
Followed your instructions: when I ran the HijackThis scan, many of the files you told me to delete weren't there (the msxmidi ones). I didn't delete the Shareaza ones because I don't think that programme could have anything to do with CWS - it wasn't running when my computer got infected - and I don't want to harm that programme.
When I typed services.msc into the Run box, it wasn't recognised.
Obviously I can't get hold of my ISP provider right now, but the 192 number is definitely the correct ISP address - I went through it with them last month for some separate problems.
When I run CWS 2.12 now it doesn't find any CWS file anywhere. Everything's running smoothly, faster than it's done since it got infected. However it did this about an hour ago as well - I thought CWS might have got rid of the malware - but after about 45 minutes the website I was browsing randomly turned into a porn site. So I'm cautiously optimistic, but not 100% sure that this thing won't come back.
0
Mia, they have answered you on the other website, you might want to check it out.
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime;
Then industry pollutes the water and kills all the fish.
0
hi mia,
sorry for getting back to you so late.
about the services.msc, forget it you can only do this in winxp. try looking in your task list for this file (MSXMIDI.EXE) if found end task. as for this file ( shareaza.exe) you will find it in your start up files so delete it and the folder if found.
and remember about the no 17 in your hijackthis log: don't delete it. first call your isp service and find out if that address is legitimate.
all the best,
murve
0
Hi guys. Everything is still working fine - I think we may have got rid of it. (If not, I'll be back after the holidays...)
Thanks to everyone who helped me - merry Christmas to all!
M x
0
My little brother had coolwebsearch, and i tried everything to my knowledge to get rid of it, but i failed, and then when i installed msn plus the other day, i noticed that the sponsor prog looked like the coolwebsearchbar, so i simply uninstalled msn plus, rebooted the comp and ran adware/spybot, and then its completely gone =)
so if u got msn plsu that might have been or still is you problem, in that case do as i did, then reinstall it WITHOUT the sponsor program, if you dont have it then i dont know, but u seem to have gotten rid of it so i guess its ok =)
0
Hi Mia, one more thing before you go.
You do not have any protection for the
problem you had, can be found free.
0
Re your #5 - this bit:
"I'm not sure I understood the whole 'creating a new folder' thing... I created a new folder in Program Files and created a shortcut to HijackThis in it, then opened the program from there... was that right?"
Just to confirm that you did understand it. What you did was exactly right. It just means that any additional files HJT makes (backups/Ignore etc) will then go into this folder, which is the right place for it to access them.
One little tip. When (and only when) you are certain that all the entries in your HJT log are legitimate, tell it to ignore the lot (tick each one - Ignore). Then when you run the program it will say "no suspicious items found". From then on it will report only changes which will make it much easier to identify some newcomer as OK or not OK - no massive list to wade through. Keep this up to date when it changes.
If you are unsure then at least get it to ignore the ones that "you know" are legitimate items. Short lists are easier to manage than long lists.
Derek.W
0
webroot spy sweeper, just cleaned my system of cws
i hate computers!
but cant help myself....
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
