TechSpot

CoolWWWSearch.Bootconf

By micky
Feb 5, 2005
  1. Hi.
    I've read the thread "How to remove Begin2Search / CoolWebSearch ", and done everythings described.
    But I still have this problem
    homepage changes, back doesn't works in internet explorer, messages "your computer might be at risk", pop-ups.
    I've repeted the whole procedure 2 times, but I still have CWS.bootconf.
    I've used Hijackthis 1.98.2, because the 1.99 closes after the scan and doesn't let me fix and save log.
    I need some help
     

    Attached Files:

    • HJT.txt
      File size:
      3.9 KB
      Views:
      5
  2. onecalifman

    onecalifman TS Rookie

    On this page: http://www.intermute.com/spysubtract/cwshredder_download.html
    there is a free and small program to delete CWSBootconf. CWSBootconf is listed on my copy of the program. On the above page, click the line that says: Download the stand-alone version of CWShredder. Follow the instructions. Bye.
     
  3. micky

    micky TS Rookie Topic Starter

    I've already tried CWshredder: it doesn't find anything.
    I've tried also CoolWSearchSmartKiller, but it's the same.

    Ad-aware and Spybot S&D find it, fix it, but after that it comes back again!

    HELP!!!
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode.
    Stop System Restore.
    Press ctrl/alt/del and in Taskmanager try to STOP these:

    miniport_mp.exe
    rdspclips.exe

    Next, run HJT on its own (v1.98.2 will do for the moment) and have it 'fix' if still there:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Name - {2DDF8558-EEED-48EF-95E6-6470D6929FDE} - E:\WINDOWS\System32\msiqq.dll
    O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - E:\WINDOWS\System32\netcfg.dll
    O2 - BHO: (no name) - {EC4508C2-9ABF-4CF2-B39F-C42BB3C054CF} - E:\WINDOWS\System32\qwsxp.dll
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - E:\WINDOWS\System32\iesp2.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MiniPortRt] E:\WINDOWS\System32\miniport_mp.exe
    O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18 - Filter: tœ†5òÏTÆR - {DF897AA7-7450-4B5B-95AD-5D2ED050D75B} - E:\WINDOWS\System32\qwsxp.dll

    When done, delete the bold files.

    Boot in normal mode, check how things go.
    If OK, start System Restore.
    D/L newest HJT and post another log, just to be sure.
     
  5. micky

    micky TS Rookie Topic Starter

    Thank you for your precious help.
    I've done as you said.
    Now it's quite ok, but I've still problems :

    -Sponsored links in internet pages

    - When I open ie it gives this error: opening page res://E:\WINDOWS\System32\shdoclc.dll/dnserror.htm...

    - HJT 1.99 doesn't work still: it completes the scan but automatically closes.

    - SpyBot S&D resident found an attempt to download a known spyware immediatly after opened ie.

    Any other idea?
    Here's the new log: (the attachment button seems not to work)

    Logfile of HijackThis v1.98.2
    Scan saved at 17.13.56, on 06/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    E:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    E:\Programmi\Norton Internet Security\ISSVC.exe
    E:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    E:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
    E:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\Programmi\Iomega\DriveIcons\ImgIcon.exe
    E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    E:\Programmi\Easy CD Creator 5\DirectCD\DirectCD.exe
    E:\Programmi\File comuni\Symantec Shared\ccApp.exe
    E:\Programmi\Iomega\AutoDisk\AD2KClient.exe
    E:\Programmi\Ontrack\SMARTDefender\smrticon.exe
    E:\WINDOWS\system32\mapiicon.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    E:\Programmi\Diskeeper 9 Professional\DkService.exe
    E:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
    E:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    E:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
    E:\Programmi\Messenger\msmsgs.exe
    E:\Programmi\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Iomega Startup Options] E:\Programmi\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Programmi\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
    O4 - HKLM\..\Run: [EM_EXEC] E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [ADSL_A2] A2Installed
    O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Programmi\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Programmi\Diskeeper 9 Professional\DkIcon.exe"
    O4 - HKLM\..\Run: [ccApp] "E:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Iomega Active Disk] E:\Programmi\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [SMARTDefender] E:\Programmi\Ontrack\SMARTDefender\smrticon.exe
    O4 - Startup: ADSL Diagnostic Tools.LNK = E:\WINDOWS\system32\mapiicon.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE
    O12 - Plugin for .mov: E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    The logs look quite different, one taken in normal mode and one in safe mode?

    Anyway, boot in safe mode again.
    Stop System restore
    ctrl/alt/del try and stop CDANTSRV.EXE (was not there last time!)

    Run HJT again and try to 'fix':
    E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ADSL_A2] A2Installed

    Then delete the 2 bold files.
    How is that?

    And I forgot to say: STOP using that bleeding Internet Explorer!
    Get Firefox from www.getfirefox.com and use that from now on!
    Use IE ONLY for Windoze-updates
     
  7. onecalifman

    onecalifman TS Rookie

    Maybe not topic here, but maybe important to you, after you read:
    I noticed something in your HijackThis log- two different entries, one may be
    a virus:
    E:\Programmi\Messenger\msmsgs.exe
    9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE

    Some virus, mostly trojans, try to imitate a normal file by using one or more upper case letters- to get by anti-virus scanners that record every file only in lower case. With my suspicion, I searched for MSMSGS.EXE. Here is one
    page I found, there are more:
    http://www.liutilities.com/products/wintaskspro/processlibrary/msmsgs/

    Myself, I do not really know if either of yours(msmsgs.exe or MSMSGS.EXE) is a virus or not.Bye.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...