CoolWebSearch Hijacker disabled Add/Remove Programs applet

[Bill]

I have recently had two computers "infected" with the CoolWebSearch
malware. One of the symptoms of the infection, was the Add/Remove
Programs applet would not launch. After using Ad-aware to regain
control of the machines, the Add/Remove Programs applet in the control
panel still would not launch. Specifically, double clicking on the
applet produces no response.

I have tried to fix the problem by recreating registry entries:

regsvr32 mshtml.dll
regsvr32 shdocvw.dll -i
regsvr32 shell32.dll -i

I have also tried using the System File Checker:

SFC /PURGECACHE
SFC /SCANNOW

I am considering an inplace upgrade of Windows 2000. Are there any
other possible fixes to this problem???

Both machines are running Windows 2000 with SP4 and IE 6 with SP1.

 

[Dave Patrick]

Use the Group policy editor
%windir%\system32\gpedit.msc
User Config\Admin Templates\Control Panel\Add or Remove\Remove Add or
Remove="Not Configured"

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
|I have recently had two computers "infected" with the CoolWebSearch
| malware. One of the symptoms of the infection, was the Add/Remove
| Programs applet would not launch. After using Ad-aware to regain
| control of the machines, the Add/Remove Programs applet in the control
| panel still would not launch. Specifically, double clicking on the
| applet produces no response.
|
| I have tried to fix the problem by recreating registry entries:
|
| regsvr32 mshtml.dll
| regsvr32 shdocvw.dll -i
| regsvr32 shell32.dll -i
|
| I have also tried using the System File Checker:
|
| SFC /PURGECACHE
| SFC /SCANNOW
|
| I am considering an inplace upgrade of Windows 2000. Are there any
| other possible fixes to this problem???
|
| Both machines are running Windows 2000 with SP4 and IE 6 with SP1.

 

[Kim]

I have used "hijackthis" a number of times for this, and
have been successful each time. Adaware did not remove
the problem. Just be careful what you delete with this
program, as it also lists legitimate files.

HTH
Kim

 

[Jason Hall [MSFT]]

--------------------

From: (e-mail address removed) (Bill)
Subject: CoolWebSearch Hijacker disabled Add/Remove Programs applet
Date: 17 May 2004 09:52:36 -0700

I have recently had two computers "infected" with the CoolWebSearch
malware. One of the symptoms of the infection, was the Add/Remove
Programs applet would not launch. After using Ad-aware to regain
control of the machines, the Add/Remove Programs applet in the control
panel still would not launch. Specifically, double clicking on the
applet produces no response.

I have tried to fix the problem by recreating registry entries:

regsvr32 mshtml.dll
regsvr32 shdocvw.dll -i
regsvr32 shell32.dll -i

I have also tried using the System File Checker:

SFC /PURGECACHE
SFC /SCANNOW

I am considering an inplace upgrade of Windows 2000. Are there any
other possible fixes to this problem???

Both machines are running Windows 2000 with SP4 and IE 6 with SP1.

--------------------

Does the problem still happen in Safe Mode?
If NOT then there may be some third-party browser component that is loading
up in Normal Mode and causing problems.
To disable these:
- Open Internet Explorer
- Clear the checkbox for "Enable third-party browser extensions
(requires restart) found in Tools > Internet Options > Advanced
If this works, then you can proceed to delete the one(s) causing the
problem:
- Run Regedit
- Entries for browser extensions will be found in the below key.
Export and delete the suspect ones.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions

--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill]

Thanks for the recommendation, but no joy!!! All entries in the Group
Policy are "Not Configured"

Thanks Again,
Bill

 

[Bill]

Thanks for the recommendation, but no joy!!! I tried HijackThis and
removed a couple of questionable entries but the problem persisted.
In the Safe Mode the following was the result of a HijackThis scan:

Logfile of HijackThis v1.97.7
Scan saved at 12:16:52 PM, on 5/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\temp5\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: ACT! 2000.lnk = C:\Program Files\Symantec\ACT\act.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38106.5361226852
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
snet.dolphincap.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35666D89-8E0F-467F-9D8A-E8B8353BFEA6}:
NameServer = 192.168.23.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
snet.dolphincap.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
snet.dolphincap.com



Thanks Again,
Bill

 

[Bill]

Jason, thanks for the recommendation, but no joy!!! The problem is
present in the safe mode.

 

[John]

Try Spybot Search and Destroy as well as CWshredder.exe
(http://www.spywareinfo.com/)