-
Welcome to the new forums! Please read this first. For known issues we are working to resolve, click here.
wymjym
Veteran Member
Hi,
I believe the following (copied from trend) will handle your issues:
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start> Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER> Software> Microsoft>
Windows> CurrentVersion> Run
In the right panel, locate and delete the entry or entries:
olehelp="%Windows%\olehelp.exe"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Resetting Internet Explorer Homepage and Search Page
This procedure restores the Internet Explorer homepage and search page to the default settings.
Close all Internet Explorer windows.
Open Control Panel. Click Start> Settings> Control Panel.
Double-click the Internet Options icon.
In the Internet Properties window, click the Programs tab.
Click the “Reset Web Settings…” button.
Select “Also reset my home page.” Click Yes.
Click OK.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_BOOKMARK.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security
If this is confusing let me know.....I have had this reset thing occur every now and then, the above solution generally works.
wj
I believe the following (copied from trend) will handle your issues:
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start> Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER> Software> Microsoft>
Windows> CurrentVersion> Run
In the right panel, locate and delete the entry or entries:
olehelp="%Windows%\olehelp.exe"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Resetting Internet Explorer Homepage and Search Page
This procedure restores the Internet Explorer homepage and search page to the default settings.
Close all Internet Explorer windows.
Open Control Panel. Click Start> Settings> Control Panel.
Double-click the Internet Options icon.
In the Internet Properties window, click the Programs tab.
Click the “Reset Web Settings…” button.
Select “Also reset my home page.” Click Yes.
Click OK.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_BOOKMARK.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security
If this is confusing let me know.....I have had this reset thing occur every now and then, the above solution generally works.
wj
E
EJN
Guest
I've been into computers now for what surely must be 30+ years...bought the very first one ever intro'd to UK.. the old Atari 500 .. but NEVER NEVER had to do a reinstall and to be honest I just don't know where to start. Anyway - surely this effectively removes or makes non-working ALL you software as it is no longer 'installed' into the clean system ?? and the thought of re-installing ALL the stuff I've put on this is mind-boggling...even if I could lay my hands on all the progs AND keys etc. I just feel more like giving up --
EJN
Jon_T
Veteran Member
In my haste, somehow missed copying link to the Security Forum in previous post:
http://www.broadbandreports.com/forum/security
E
EJN
Guest
I'm not at all averse to making Register entries - do it a lot. Followed your instructions in first para but in the right pane of 'Run' on mine there is NO olehelp ...etc .. just five entries for progs that I've put on and WANT to start at log-on. And I've done a search on 'olehelp' and it seems there's no such item ANYWHERE on my Register .. so what now.
Did use Trent online scan...found nothing... AND I tried the 'Web Settings' thing..did nothing
HiJackThis ALWAYS finds the 'new' Homepage entries (about 5) ..I clear them, can just close the prog then immediately re-open and in a Scan next minute they're back again !!! Frustrating isn't it ...! Just CANNOT find where it's being kicked off from.
EJN
EJN
Did use Trent online scan...found nothing... AND I tried the 'Web Settings' thing..did nothing
HiJackThis ALWAYS finds the 'new' Homepage entries (about 5) ..I clear them, can just close the prog then immediately re-open and in a Scan next minute they're back again !!! Frustrating isn't it ...! Just CANNOT find where it's being kicked off from.
EJN
--
EJN
wymjym
Veteran Member
Hi,
Well I'll have to scratch my head a bit. I ran into the same situation you are in last fall.....I found a reg entry but there was also an executable in either system or system 32 that was giving my the run around.
could you search your hdd for a newly created file/folder and establish a time frame that it might have been created in?
wj
Well I'll have to scratch my head a bit. I ran into the same situation you are in last fall.....I found a reg entry but there was also an executable in either system or system 32 that was giving my the run around.
could you search your hdd for a newly created file/folder and establish a time frame that it might have been created in?
wj
E
EJN
Guest
Hey - I wonder if you've got onto something? i can almost pin-point the time the dirty-deed happened as about between 4:30 & 5:30pm yesterday - 31st May/04. I've found rucks of entries in Win between around 7:30pm and midnight but that would almost surely be when I found and tried some other progs that I hadn't on before. When THE event happened I didn't even install or load anything...was just looking...so there seems nothing to require a new file on that account.
I've found ONE file in WINDOWS timed 4:54pm yesterday..no more..just the one...dcstds3.dll ... got tons dated yesterday in Win\system and in win\sys32 .. but ALL between around 7:30 and midnight...again from tests without doubt as I did nothing BUT tests last evening !!!
SO...do you think that 4:54pm one has significance..the time is right ? Suppose I rename it (if it will allow of course !) to .... dl$ or so ...
Will it allow, that's the question
, as presumably it's "in use" . On my good old machine I used to go into effective DOS mode and rename...no DOS now...do you have to go to Command Mode??? What a paraphernalia.... XP - bah! ...sh*
EJN
laLady
Senior Member
It sounds simple, but maybe it will work??
Judy
Judy
Don Spencer
Senior Member
another link to try.....
http://www.spysweeper.com/remove-coolwebsearch.html
steps to remove manually at the bottom.
--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)
http://www.spysweeper.com/remove-coolwebsearch.html
steps to remove manually at the bottom.
--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)
Kanji126598
Senior Member
this is not the same as the "smartsearch virus" that i had. Here is a procedure to use that I cut and pasted for your consideration
----------------------------------------------------------------------------------------------------
cws.smartsearch.2 cool web search notice
Heads up for all system and network admins out there. It seems that the arena of spyware versus spyware protection is getting more vicious by the hour. Our technology dept has been seeing with alarming frequency more and more spamware attacks on individual systems (our mobile users are unprotected by our firewall rules at their homes).
The most nefarious of these has been the coolwebsearch trojan and any of its variants. cws.smartsearch.2 and .3, .4, .5 all have a component which is designed to recognize the launching of the cwshredder removal program and to close it mid operation.
Spybot, and Hijackthis in combination with any pop-up stopper will not stop this trojan. CWShredder, if run will be terminated abnormally during its scan. The new CWShredder version has built in counters for this trojan technique, but recently even newer variants of the CWS trojan have counterattacks for CWShredders counterattacks.
The only effective solution we have found is this:
1. Run ad-aware, update ad-aware: perform a full scan (other options have to be enabled via the custom options)
2. After ad-aware has removed or quarantined its discoveries, run the cwshredder program again (make sure you are running ver. 1.57 or greater (this will remove and residual cws files left on the system)
If this does not work and as a counter to any as yet undiscovered trojans we remove the tcp/ip stack as well as the associated winsock components (as this windows core component is now a major target of the spammers)
--------------------------------------------------------------------------------------------------------
Note,I always ghost my pc's hd so that I can reload easily in case of this type of infection. i wish that these hackers would find something better to do than just screw with other people's machines.
----------------------------------------------------------------------------------------------------
cws.smartsearch.2 cool web search notice
Heads up for all system and network admins out there. It seems that the arena of spyware versus spyware protection is getting more vicious by the hour. Our technology dept has been seeing with alarming frequency more and more spamware attacks on individual systems (our mobile users are unprotected by our firewall rules at their homes).
The most nefarious of these has been the coolwebsearch trojan and any of its variants. cws.smartsearch.2 and .3, .4, .5 all have a component which is designed to recognize the launching of the cwshredder removal program and to close it mid operation.
Spybot, and Hijackthis in combination with any pop-up stopper will not stop this trojan. CWShredder, if run will be terminated abnormally during its scan. The new CWShredder version has built in counters for this trojan technique, but recently even newer variants of the CWS trojan have counterattacks for CWShredders counterattacks.
The only effective solution we have found is this:
1. Run ad-aware, update ad-aware: perform a full scan (other options have to be enabled via the custom options)
2. After ad-aware has removed or quarantined its discoveries, run the cwshredder program again (make sure you are running ver. 1.57 or greater (this will remove and residual cws files left on the system)
If this does not work and as a counter to any as yet undiscovered trojans we remove the tcp/ip stack as well as the associated winsock components (as this windows core component is now a major target of the spammers)
--------------------------------------------------------------------------------------------------------
Note,I always ghost my pc's hd so that I can reload easily in case of this type of infection. i wish that these hackers would find something better to do than just screw with other people's machines.
Helen K
Active member
Hi,
have you looked into parasite removal instead of virus...had similar problem at work and our IT support person spent hours getting rid of it by going thru the registry (unfortunately she's on maternity leave, so I can't ask her what she did exactly). sorry....
--
Helen K
Cybia has just posted a web security page that has lots of info and links to removal tools, it's worth a look.....
http://www.cybia.co.uk/security.htm
John Q
--
John Q....Olympus C-2100, Canon 300D
http://www.pbase.com/john_q
http://www.cybia.co.uk/security.htm
John Q
--
John Q....Olympus C-2100, Canon 300D
http://www.pbase.com/john_q
Helen K
Active member
dave.sweden
Leading Member
I had 4 virus and nothing would get rid of them until today when I found a FREE anti virus that has worked like a dream.Give it a try and good luck.
http://www.pandasoftware.com/activescan/
Dave.
http://www.pandasoftware.com/activescan/
Dave.
wymjym
Veteran Member
I had to run ad aware (6.) to actually find out what was happening. I did and wrote down the file names. (I am forced to run a dual boot because I have two or three programs that aren't happy with 2K or XP.) I shut down and rebooted in win98...went to the folders and deleated the culprits and that was that. I know this doesn't help you, sorry....but that is what I did.
wj
wj
Kanji126598
Senior Member
Oh man,that's great,and I will check out the pandasoftware
E
EJN
Guest
streetshot3
Forum Enthusiast
- Messages
- 304
- Reaction score
- 0
I hate to play devils advocate here, but I know you're thinking what I'm thinking. This viri has taken residence in your master boot record. Despite your refusal to fdisk you may have no choice.
I lost some of my most favorite portrait shots once, not because I didn't take steps to protect them (nothing, and I mean nothing goes on my C: drive that is of much importance. All my pics are on a totally seperate hard drive) but because I accidently fdisked the wrong drive (oops!).
Live and learn. Never put all your eggs in one basket.....partition, partition, partition (makes defragging a whole lot faster too). Ideally, install a second hd and dedicate it to those files that are irreplacable.
I lost some of my most favorite portrait shots once, not because I didn't take steps to protect them (nothing, and I mean nothing goes on my C: drive that is of much importance. All my pics are on a totally seperate hard drive) but because I accidently fdisked the wrong drive (oops!).
Live and learn. Never put all your eggs in one basket.....partition, partition, partition (makes defragging a whole lot faster too). Ideally, install a second hd and dedicate it to those files that are irreplacable.
AdAware, which is free for personal use, has been quite helpful for me in this respect.... have you tried it yet? usually with malicious hijacking trojan programs such as this, adaware has a function where after it identifies such programs, you will be prompted to reboot, where it will remove the offending programs before they have a chance to load & embed themselves in your computer.
http://www.lavasoftusa.com/software/adaware/
it seems to deal with this cool web search thing...
http://www.lavasoftsupport.com/index.php?showtopic=28801&hl=cool+web+search
http://www.lavasoftsupport.com/index.php?showtopic=29044&hl=cool+web+search
here's another faq on it i found that might help.
http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075329940/topic::Scumware,-Spyware,-Adware-&-Malware-Applications/
anyway, hope some fo this stuff will help you to get rid of it.
somy
http://www.lavasoftusa.com/software/adaware/
it seems to deal with this cool web search thing...
http://www.lavasoftsupport.com/index.php?showtopic=28801&hl=cool+web+search
http://www.lavasoftsupport.com/index.php?showtopic=29044&hl=cool+web+search
here's another faq on it i found that might help.
http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075329940/topic::Scumware,-Spyware,-Adware-&-Malware-Applications/
anyway, hope some fo this stuff will help you to get rid of it.
somy
Keyboard shortcuts
- f
- Forum