CoolWWWSearch.Bootconf

Status
Not open for further replies.
Hi.
I've read the thread "How to remove Begin2Search / CoolWebSearch ", and done everythings described.
But I still have this problem
homepage changes, back doesn't works in internet explorer, messages "your computer might be at risk", pop-ups.
I've repeted the whole procedure 2 times, but I still have CWS.bootconf.
I've used Hijackthis 1.98.2, because the 1.99 closes after the scan and doesn't let me fix and save log.
I need some help
 

Attachments

  • HJT.txt
    3.9 KB · Views: 5
I've already tried CWshredder: it doesn't find anything.
I've tried also CoolWSearchSmartKiller, but it's the same.

Ad-aware and Spybot S&D find it, fix it, but after that it comes back again!

HELP!!!
 
Boot in Safe Mode.
Stop System Restore.
Press ctrl/alt/del and in Taskmanager try to STOP these:

miniport_mp.exe
rdspclips.exe

Next, run HJT on its own (v1.98.2 will do for the moment) and have it 'fix' if still there:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Name - {2DDF8558-EEED-48EF-95E6-6470D6929FDE} - E:\WINDOWS\System32\msiqq.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - E:\WINDOWS\System32\netcfg.dll
O2 - BHO: (no name) - {EC4508C2-9ABF-4CF2-B39F-C42BB3C054CF} - E:\WINDOWS\System32\qwsxp.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - E:\WINDOWS\System32\iesp2.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MiniPortRt] E:\WINDOWS\System32\miniport_mp.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter: tœ†5òÏTÆR - {DF897AA7-7450-4B5B-95AD-5D2ED050D75B} - E:\WINDOWS\System32\qwsxp.dll

When done, delete the bold files.

Boot in normal mode, check how things go.
If OK, start System Restore.
D/L newest HJT and post another log, just to be sure.
 
Thank you for your precious help.
I've done as you said.
Now it's quite ok, but I've still problems :

-Sponsored links in internet pages

- When I open ie it gives this error: opening page res://E:\WINDOWS\System32\shdoclc.dll/dnserror.htm...

- HJT 1.99 doesn't work still: it completes the scan but automatically closes.

- SpyBot S&D resident found an attempt to download a known spyware immediatly after opened ie.

Any other idea?
Here's the new log: (the attachment button seems not to work)

Logfile of HijackThis v1.98.2
Scan saved at 17.13.56, on 06/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\File comuni\Symantec Shared\ccProxy.exe
E:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
E:\Programmi\Norton Internet Security\ISSVC.exe
E:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
E:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Iomega\DriveIcons\ImgIcon.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
E:\Programmi\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Programmi\File comuni\Symantec Shared\ccApp.exe
E:\Programmi\Iomega\AutoDisk\AD2KClient.exe
E:\Programmi\Ontrack\SMARTDefender\smrticon.exe
E:\WINDOWS\system32\mapiicon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Programmi\Diskeeper 9 Professional\DkService.exe
E:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
E:\PROGRA~1\Iomega\System32\ActivityDisk.exe
E:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Programmi\Messenger\msmsgs.exe
E:\Programmi\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Iomega Startup Options] E:\Programmi\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [EM_EXEC] E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Programmi\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Programmi\Diskeeper 9 Professional\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Iomega Active Disk] E:\Programmi\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [SMARTDefender] E:\Programmi\Ontrack\SMARTDefender\smrticon.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = E:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
 
The logs look quite different, one taken in normal mode and one in safe mode?

Anyway, boot in safe mode again.
Stop System restore
ctrl/alt/del try and stop CDANTSRV.EXE (was not there last time!)

Run HJT again and try to 'fix':
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ADSL_A2] A2Installed

Then delete the 2 bold files.
How is that?

And I forgot to say: STOP using that bleeding Internet Explorer!
Get Firefox from www.getfirefox.com and use that from now on!
Use IE ONLY for Windoze-updates
 
Maybe not topic here, but maybe important to you, after you read:
I noticed something in your HijackThis log- two different entries, one may be
a virus:
E:\Programmi\Messenger\msmsgs.exe
9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\MSMSGS.EXE

Some virus, mostly trojans, try to imitate a normal file by using one or more upper case letters- to get by anti-virus scanners that record every file only in lower case. With my suspicion, I searched for MSMSGS.EXE. Here is one
page I found, there are more:
http://www.liutilities.com/products/wintaskspro/processlibrary/msmsgs/

Myself, I do not really know if either of yours(msmsgs.exe or MSMSGS.EXE) is a virus or not.Bye.
 
Status
Not open for further replies.
Back