Spyware I cannot remove.

[Ulrik Dige]

Hi, I wonder if this is the right section to put my
question, but here I go:

It seems that our computer has caught a spyware-thing,
that my antispyware-programme cannot remove. My IE-
startpage is change and I cannot re-change it and keep it
there. It comes up with a strange search-page and causes a
few other (it seems) things.

I have only got free-ware programmes (Ad-ware and Spybot).
They can detect the spyware, but seemingly not remove it.
But is it not possible to manually remove such things?
Does anyone outthere know how to do it and do youdare
guide me through such an operation if I gave you an
description of the (to me known) spyware-things on my
harddrive (names, location etc.)?

I hope that someone can help as this problem starts to
annoy us!

Greetings

 

[Guest]

when i had this problem i went in the registry editor and searched for the web address that the home page is set to and deleted every result that came up with a match to that website. Also check in task manager for processes that don't look familiar to you and stop them. If you find the right one that will let you change the home page searh for that process (whatever.exe) and delete it, but make sure you're definate it is the right one.

Sorry i can't be more in depth about what process to look for but they could be called anything. When the search files and folders come up with a folder where the .exe lives get rid of that too.

Hope this helps

 

[Guest]

Hi again and thank you for your reply.
I went to regedit, but wow there is a lot of stuff in
there. I do not know where to begin and where to end and I
am not very keen on touching anything. I tried to search
for the webadress of the search-page which is a strange
one: it says nothing but 'about:blank' in the adress-line,
but nothing came up.

Could you possibley give me a little more guiding?
Please...

Greetings

-----Original Message-----
when i had this problem i went in the registry editor and

searched for the web address that the home page is set to
and deleted every result that came up with a match to that
website. Also check in task manager for processes that
don't look familiar to you and stop them. If you find the
right one that will let you change the home page searh for
that process (whatever.exe) and delete it, but make sure
you're definate it is the right one.

Sorry i can't be more in depth about what process to look

for but they could be called anything. When the search
files and folders come up with a folder where the .exe
lives get rid of that too.

 

[manfred müller]

try the program "CWShredder"

should solve your problem

 

[Guest]

Hi,
could you say a little about what it does and where I can
obtain it?

 

[manfred müller]

CWShredder Review
A small utility for removing CoolWebSearch (aka CoolWwwSearch,
YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to
forget essential parts of the hijack, so until it updates, you can just this
to completely remove the hijack. Updated to remove the new variants once
they come out.

This tool will find and destroy all traces of the CoolWebSearch (CWS)
hijacker on your system. This includes:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

http://www.soft32.com/download_19014.html

 

[Guest]

Thank you. It helped!

-----Original Message-----
CWShredder Review
A small utility for removing CoolWebSearch (aka CoolWwwSearch,
YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to
forget essential parts of the hijack, so until it updates, you can just this
to completely remove the hijack. Updated to remove the new variants once
they come out.

This tool will find and destroy all traces of the CoolWebSearch (CWS)
hijacker on your system. This includes:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

http://www.soft32.com/download_19014.html





.

 

[tthallah]

i have the same problem, it doesn't remove it Definitely . When i
start my pc again, than the F** startpage is coming back. HOW do you
removed it realy.

CWShredder has found this spyware below....
CWS.Searchx

Any suggestions............... tnx for the trouble...

regards,
Tahllah

 

[Nathan Brazil]

First - this is just for reference. Use any or all of this info AT YOUR OWN
RISK. I spent all day yesterday battling with a variant of a very nasty
trojan - one that you may or may not have. I REALLY hope you don't!! But
if you do have the one I had, it's a tough one to kill. These really are
just "notes" that I'm hoping may somehow help. I hope everyone will excuse
this long post and my lack of "more recent" common computer jargon. I'm an
old Novell guy.
---------------------------
The one I fought yesterday certainly was a malicious piece of garbage - the
one I had kept morphing so it was tough to remove. I fought with it for a
full day and *finally* got it subdued, using some tricks and Ad-Aware
version 6. But it was a monumental battle.

If you are pretty handy with Windows and registry editing, read further. If
not, you may want to call in expert help. You may just want to call in an
expert anyway. I can't guarantee that any of this will help you - but
perhaps this will be helpful in some way, shape or form. I'm not in any way
recommending that you follow these steps to try to get rid of your spyware -
but you can try them if you are about ready to reformat your entire drive
anyway.

Here are some things that I had to do to get rid of this beast:

First: - there's a service called something like "Network Security Service"
that I had to disable in the services. It was responsible for keeping the
evil registry keys in tact even when I deleted them. It's part of the
trojan setup.

In the registry file under the
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
area I found 2 to 3 suspicious executable files that would not go away. I'd
delete them and within a few seconds they would be right back. Finally I
wrote executables (in of all things Microsoft QuickBasic 4.5!) matching the
names of these programs (executables that did nothing but do an old "print"
command) and placed them where the registry keys stated that the suspicious
executables were supposed to be. Oddly, the executables I thought I was
replacing weren't in those directories, but I had a strong feeling that
they'd be written to these locations when I shut down or started up - so
that they would conveniently load the trojan each time I booted my system.

My spyware infestation kept writing .dat, .dll and .exe files to the Windows
and Windows/System32 directory - hundreds and hundreds of them. Some were
set with system and hidden attribute flags on. I booted to safe mode and
moved all of these files to another drive. The files had different sizes
but were dated within the last month. Removing the right files and NOT any
system files that you need will take a skillful computer user so be
extremely careful if you try this. Most files had either 5 or 6 letters
before the file extension. Examples: xtrsvt.dll, pstd32.dll, xvrtm.dat,
etc. The characters were pretty random. Before i was done I had move over
6 megabytes of them - after zipping them up!! Many had a "32" at the end of
their prefixes.

There may have been entries in the RunOnce and RunOnceEx keys as well - I
don't recall but it would not surprise me.

Another thing of note - there were several suspicious processes running in
my task manager. I figured out which ones were causing my woes (some
matched the executables in my registry keys listed above) - but I could NOT
shut them down from within the task manager. Ack!

In my "Add/Remove Programs" I had a listing called "Home Search Assistent".
Note the misspelling. I tried to use this to remove any remaining garbage
but it does not work. I fear It's a permanent battle scar.

Here's a web site where I found some of these tips: This one was FULL of
info - and despair of a suffering victim.

http://www.computing.net/security/wwwboard/forum/12346.html

Here's another:

http://computercops.net/postp215213.html - I think this post is a bit
outdated as my variant kept writing new file names each time I'd find and
delete the old ones. But it mentions much of what I did to get my spyware
gone for good.

Here's another with a lot of info but it didn't help me - it may help you.

http://64.233.161.104/search?q=cach...guy.org/t235976.html+coolsearch+removal&hl=en

I hope this was helpful. Let me know. Believe me - if you have what I had,
I know what you are going through. Unfortunately, mine had infected a
Microsoft 2000 Small Business Server!! :-(

Nathan Brazil