coolwwwsearch.homesearch

I have some spyware I can not get rid of please help! Norton does not find any virus, adaware doesnt find anything but spybot search and destroy finds an error during check it says coolwwwsearch.homesearch.
Here is the log
Error during check!: CoolWWWSearch.HomeSearch (Ungültiger Datentyp für '') ()


Congratulations!: No immediate threats were found. ()


Cache: Cache (143) (Cache, nothing done)


Cookie: Cookie (3) (Cookie, nothing done)


Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Sometimes it finds more log activity but it will delete everything but C:\WINDOWS\SchedLgU.Txt evertime. I have gone into safe mode and have been able to even delete this but then it comes back.

Here is my HJT log
Logfile of HijackThis v1.97.7
Scan saved at 9:23:17 PM, on 11/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Outdated log removed
Lonny
I would appreciate any help.

Thanks,
Derrick

 

Hi dfelix , welcome to the forums

Post a log from the current version please.
HijackThis 1.98.2
http://radiosplace.com/

 

Sorry Lonny here is the new log

Logfile of HijackThis v1.98.2
Scan saved at 10:21:10 PM, on 11/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Derrick Felex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rapido.fido.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WinIEObj Class - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEA1E9B-7846-4FA3-80A1-83F452B6B5AB}: NameServer = 204.92.15.211 204.92.15.212
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEA1E9B-7846-4FA3-80A1-83F452B6B5AB}: NameServer = 204.92.15.211 204.92.15.212

 

Aah yes my good old friend cruelwebsearch, or as others call it uncoolwebsearch. It can be a fun thing to remove properly.

Spybot will remove most strains of this menace, but for those it cant i recommend a program made just to remove coolwebsearch varieties.

The program is called CWSHredder and can be found at the link below. If it doesnt work, post back and i will suggest something else.

http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

 

Thanks Dez but I also tried CWSHredder 1.59.0.1 no luck it doesnt find anything.

 

The version available at the above link is version 2.0, so try it and if that doesnt work, a re-install may be in order, unless someone else has any ideas. I usually use these tools to remove adware, and if they dont work i re-install.

Spybot S&D
Hijack This
Nortons Internet Security
CWSHredder

 

Thats probably nothing to worry about, provided your not being re-directed when searching or your homepage is not being changed. ??
More information can be found here
http://forums.net-integration.net/index.php?showtopic=24389

I see nothing odd in that log except this
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\Messenger\msmsgs.exe" /background

That SchedLgU.Txt is just a tracts detection nothing to be concerned with.

 

I tryed the new CWShredder no luck then I went into safe mode used the administrator account and ran adaware it detected 6 things I deleted them then ran spybot her is the new log from spybot these items can all be deleted but one but they always come back is this anything to worry about it didn't happen before.

Here is both logs,
any help is appreciated
Thanks Derrick





Logfile of HijackThis v1.98.2
Scan saved at 1:23:20 AM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Derrick Felex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rapido.fido.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEA1E9B-7846-4FA3-80A1-83F452B6B5AB}: NameServer = 204.92.15.211 204.92.15.212
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEA1E9B-7846-4FA3-80A1-83F452B6B5AB}: NameServer = 204.92.15.211 204.92.15.212





Spybot log:


Cache: Cache (98) (Cache, fixed)


Common Dialogs: History (2 files) (Registry key, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (2) (Cookie, fixed)


DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-4197240503-4255461614-2440072589-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Log: Activity: SchedLgU.Txt (Backup file, fixing failed)
C:\WINDOWS\SchedLgU.Txt

 

Only one thing i saw in your log that i wouldnt have running, and may also be an adware magnet.

C:\Program Files\Webroot\Accelerate\accelerate.exe

Not a big fan of web accelerators, they dont do enough good for the problems i see with many of them, and some attract adware.

Also not a huge fan of zonealarm but thats another story. It doesnt attract adware, but can be problematic with certain software.

Your system looks pretty clean. Maybe spybot did an update since you first used it for this problem. It is always a good idea to run Spybot or any adware scan in safe mode to get rid of all problems when you know you have a problem, and AFTER you check for updates for the adware scanner.