Need help removing coolwebsearch

Discussion in 'OT Technology' started by Derrict, Jan 8, 2005.

  1. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    Spy Sweeper "removes" it but it comes back immediately.

    Spybot won't even load properly now that I've got CWS.

    Adaware "removes" it but same effect as Spy Sweeper.

    CWShredder removed one but not the other.

    This is showing up on the startup list:

    Located: Startup (common), Microsoft.hta
    file:


    [​IMG]

    [​IMG]

    I'm trying Hijackthis after I post this, and probably a few other things. Any ideas?
     
  2. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    Here's what I removed with Hijackthis

    [​IMG]

    I took out the Microsoft.hta but still no luck.
     
  3. JayGee

    JayGee OT Supporter

    Joined:
    Dec 4, 2004
    Messages:
    5,207
    Likes Received:
    0
    It's a trojan file so it will start up each time you restart Windows.
    I recommend you visit www.antivirus.com and use their free scan tool.
    Also, check this out:
    Removal Instructions

    Merijn, author of HijackThis and StartupList, has created CWShredder specifically to remove this parasite. Please make certain that all browser and folder windows are closed before using CWShredder.
     
  4. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    CWShredder didn't even detect it. AVG detected it but can't remove it.
     
  5. JayGee

    JayGee OT Supporter

    Joined:
    Dec 4, 2004
    Messages:
    5,207
    Likes Received:
    0
    Did you try the virus scan?
    Or did you disable suspicous things at startup?
     
  6. Penetration

    Penetration OT Supporter

    Joined:
    Jan 7, 2004
    Messages:
    19,258
    Likes Received:
    0
    Location:
    MMM my ding ding dong
    In safe mode: Log into an account that does NOT have administrator priveledges. Disable system restore. remove all cws from startup in MSCONFIG, manually remove CWS from all the start sections in the registry, run your antispyware programs, run the CWS shredder (it has always worked for me) then reboot.
     
  7. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    I finally got it removed. It looks like the root of the problem was from the AppInit.DLLs in the registry, located under \HLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows

    Using google, I found suggestions to rename the folder to \Windows2, deleting the AppInit.DLLs, renaming it back to \Windows, running all the spyware & anti-virus programs (spysweeper, avg, hijackthis, cwshredder), then rebooting. It kinda sucks CWShredder couldn't even detect it, which is the main purpose of the program. At least AVG and Spysweeper was able to detect it, but it still required manual removal.
     
  8. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    you renamed which folder to windows2?
    edit: nvm - the registry folder windows, i assume

    did you reboot after that?
     
    Last edited: Jan 9, 2005
  9. crontab

    crontab (uid = 0)

    Joined:
    Nov 14, 2000
    Messages:
    23,439
    Likes Received:
    11
    Use hijackthis and cwshredder to clean that annoying search engine and other malicious unwanted software.
     
  10. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    1) renamed folder
    2) deleted AppInit.DLLs
    3) renamed folder back to original name
    4) ran a bunch of anti-virus & spyware programs
    5) reboot
     
  11. Derrict

    Derrict No, I am not Amish OT Supporter

    Joined:
    Nov 19, 2003
    Messages:
    9,484
    Likes Received:
    1
    Location:
    Amish Country, PA
    If you read the first post, hijackthis and cwshredder didn't remove it completely. It kept coming back after each reboot until the file in the registry was removed manually.
     

Share This Page