HELP ! - anybody - virus problem

[AJohn]

Really EJN, if Spykiller is finding some things, you should be able to fix it. When I posted that info, I failed to mention that I have actually solved the problem you have for a couple of people using this. In their case, it was Ncase, ISEARCH and ILOOKUP but I think they all work the same.

First I went in and manually deleted anything to do with those programs that I could find in all the usual places. I Looked not only favorites in the browser but also in the favorites folder in C drive. I Opened internet options and deleted the home page that was put in there. I also removed anything related in add/remove programs. I cleaned out all temporary internet files. To do this, you should DL (yeah I know, not ANOTHER DL) Window Washer so you can empty the cache too. WW has a 30 day full free trial version. It works GREAT. Then you should run Reg clean to repair anything it can in the registry. THEN I ran Spykiller and I searched for and deleted every item it found in regedit (I assume you know how to do that). Then last but not least, I ran regclean again and it was perfect. I of course can't guaranty this will work but it did when I tried it.

--
Andy
http://imageevent.com/ajrphotos

 

[EJN]

From my link earlier - your problem isn't closing down the hijack
finding program. There was a link on a special fix by Pepimk. Did
you try that.

--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

Yes I did. I d/l and ran the "pre-exe" THEN ran CWShredder but it just whizzed through and showed nothing and gave me a 'clean sheet - which of course is not so , as it's still there...although see my post to Dave on what's been going on - at least a solution of sorts it seems, albeit no idea how it will act or IF it will affect anything...

--
EJN

 

[EJN]

Really EJN, if Spykiller is finding some things, you should be able
to fix it. When I posted that info, I failed to mention that I have
actually solved the problem you have for a couple of people using
this. In their case, it was Ncase, ISEARCH and ILOOKUP but I think
they all work the same.

First I went in and manually deleted anything to do with those
programs that I could find in all the usual places. I Looked not
only favorites in the browser but also in the favorites folder in C
drive. I Opened internet options and deleted the home page that was
put in there. I also removed anything related in add/remove
programs. I cleaned out all temporary internet files. To do this,
you should DL (yeah I know, not ANOTHER DL) Window Washer so you
can empty the cache too. WW has a 30 day full free trial version.
It works GREAT. Then you should run Reg clean to repair anything it
can in the registry. THEN I ran Spykiller and I searched for and
deleted every item it found in regedit (I assume you know how to do
that). Then last but not least, I ran regclean again and it was
perfect. I of course can't guaranty this will work but it did when
I tried it.

--
Andy
http://imageevent.com/ajrphotos

Andy -

I think the trouble is that there seem sio many variants of this that what might work on one may not work as well on such as mine. In one respect MINE seems a bit inocuous in that it just wants to change the Home page...and maybe that's why it's giving some trouble...not as many links and/or things or files etc for a prog to pick up. SpyKiller HAS worked fine - found CWW at least where none others seem to have done..and what I've found I've deleted . None of the other progs have done much at all. But as I've just said in another post, see the latest in my response to Dave down at the bottom here...I sorted oiut the Register entries for Start/Home/Local pages in TWO places....all were set to the 'dodgy' site and as fast as I reset those peviously they were reset BACK again by CWW !!! So this time I found by chance the 'Permissions' settings in the 'Edit-Modify' drop-down in the Register sections. I am the ONLY user so I can safely do whatever, as nobody else is affected and I've set the 'page' entry Keys to 'Permission Deny' to either Alter or Delete - and blow me...it seems to work ! Since then I left SpyKiller running in the background - also another similar (LockHomePage or similar name) and both reported Homepoage change - did I want to keep Google...but there was NO name or site shown for the other...and in fact whatever the spook is, it THINKS it's changed, the progs have reported the attempt but if I click on Home, up comes good old Google !!!!

Still trying everything I find to SCRUB it properly but so far no luck - but even the present is better than it was. Hope it will not affect anything else in IE !!!!

--
EJN

 

[EJN]

I got the same trojan horse a month ago. Like you, I struggled
with it all one weekend, found the executable finally, removed it,
and then tried to repair the damage. It had locked up the tool bar
in my browser and destroyed my Restore Point files so there was no
way to go back. Finally, I called Dell support. They said that
the only way they knew they could remove ALL the damage was a
reformat of the hard drive. They walked me through it (took about
a hour or more), and then I had to reinstall everything. That took
a couple of weeks and I'm still not back to where I started.

I have installed and subscribed to SpySweeper 2.2. This has done a
good job of stopping the spyware and snooper stuff. Norton
AntiVirus watches my email. I am behind a firewall to stop
hackers. Yea though I walk through the valley of death, I will
fear no evil...... well, maybe. I now regularly do a full backup
to an external SeaGate drive.

Good luck.

Tom

Tom -

I bow respectfully to your courage and actions but this is just what I've fervently tried to avoid. I just don't know if it is feasible that I could ever get back EXACTLY as I've loaded so much on in progs and more importantly such as PS Actions, Plug-ins ec etc and SO many similar things. It's not the install, but FINDING everything to do it ...and time of course.

Thankfully (should I say so) I've got somewhere, whether or not it's right I don't know, but right now it's live-able with!!! ..moreso ...
--
EJN

 

[karuzo]

Really EJN, if Spykiller is finding some things, you should be able
to fix it. When I posted that info, I failed to mention that I have
actually solved the problem you have for a couple of people using
this. In their case, it was Ncase, ISEARCH and ILOOKUP but I think
they all work the same.

First I went in and manually deleted anything to do with those
programs that I could find in all the usual places. I Looked not
only favorites in the browser but also in the favorites folder in C
drive. I Opened internet options and deleted the home page that was
put in there. I also removed anything related in add/remove
programs. I cleaned out all temporary internet files. To do this,
you should DL (yeah I know, not ANOTHER DL) Window Washer so you
can empty the cache too. WW has a 30 day full free trial version.
It works GREAT. Then you should run Reg clean to repair anything it
can in the registry. THEN I ran Spykiller and I searched for and
deleted every item it found in regedit (I assume you know how to do
that). Then last but not least, I ran regclean again and it was
perfect. I of course can't guaranty this will work but it did when
I tried it.

--
Andy
http://imageevent.com/ajrphotos

Andy -
I think the trouble is that there seem sio many variants of this
that what might work on one may not work as well on such as mine.
In one respect MINE seems a bit inocuous in that it just wants to
change the Home page...and maybe that's why it's giving some
trouble...not as many links and/or things or files etc for a prog
to pick up. SpyKiller HAS worked fine - found CWW at least where
none others seem to have done..and what I've found I've deleted .
None of the other progs have done much at all. But as I've just
said in another post, see the latest in my response to Dave down at
the bottom here...I sorted oiut the Register entries for
Start/Home/Local pages in TWO places....all were set to the
'dodgy' site and as fast as I reset those peviously they were reset
BACK again by CWW !!! So this time I found by chance the
'Permissions' settings in the 'Edit-Modify' drop-down in the
Register sections. I am the ONLY user so I can safely do whatever,
as nobody else is affected and I've set the 'page' entry Keys to
'Permission Deny' to either Alter or Delete - and blow me...it
seems to work ! Since then I left SpyKiller running in the
background - also another similar (LockHomePage or similar name)
and both reported Homepoage change - did I want to keep
Google...but there was NO name or site shown for the other...and in
fact whatever the spook is, it THINKS it's changed, the progs have
reported the attempt but if I click on Home, up comes good old
Google !!!!
Still trying everything I find to SCRUB it properly but so far no
luck - but even the present is better than it was. Hope it will
not affect anything else in IE !!!!

--
EJN

--
EJN,

I'm sorry if I am repeating people's posts here - just don't have the time to read them all. Anyway, I had few cases on friends' computers similar to yours. My way is almost always reformatting the hard drive and reinstalling a fresh system. Seems you spent many hours figuring this one out. Therefore, reformating should not be a timely issue to do. Regardless, I usualy reformat my hard drive once or twice a year. I remember downloading few small utilities that helped in a situation like that which helped. Sorry, but cannot remember a link. By the way, Reformating will be the best solution. Even if you thought you got rid of the problem, I am SO sure that what ever was installed on your machine, also installed a spyware, which is not that easy to detect and remove.
Goodluck,

--
Doron
C8080
http://karuzo.smugmug.com

 

[EJN]

Dave - this story has more twists and turns !!!
I was about to come back to you but first made a 'Permissions'
change on the Home Page entry in the Reg, just as a 'hope'.
Switched off, then on again to log this afresh (not sure if Reg
changes DO take place 'on the fly' ...however I got some sort of
'key' error message on restart (hopefully thinking because 'it' was
trying to change what it was now denied (???) ...but on logging on,
I clicked on Home and guess what - up comes Google !!
Still cannot believe it but daughter about to descend on us for a
very short visit on way back home - so probably going to be'off'
awhile, but if I may, I'll come back on and ask you about this
reinstall. Tell you now - as usual here - all I've got is a
bog-standard 'Recovery Disk' so it wuld go back to as it was Day 1
from the shop. Fat lot of good that is - don't you think ??? what
about such as the Win Updates and Lord knows what else, apart from
all progs..AND contents such as a multiplicity of PS Actions,
Plug-ins etc etc etc etc !!!!! I really DO hate to think of it..

EJN

Dave -

Back again as promised but best maybe if I refer you to my note above somewhere in response to A.John (Andy) as that tells you in brief summary what I've done with the Register...whether it will affect anything I treally don't know...the blasted 'thing' is still not to be found by ANYTHING fully, but I can say with pleasure that I click on Google ...or rather 'Home' .. and up pops Google every time now...good as gold.

At the moment I am getting an opening (after switch-on) little error messsage about failed Reg Key or sommat but not sure if that isn't triggered by one of the two 'LockHomePage' progs that I left on....the thing is still trying...and THINKING it's done it ...but it hasn't, with the 'lock' on in the Register Permissions . I'm still persevering. Just run Pest Patrol but NOTHING. As this is not a Trojan/Virus I wondered if such as a Pest prog might catch it , but it doesn't...and I've found Pest Patrol to be good. So it goes on...find the culprit .exe or whatever it is...but what to look for without a clue ...??? Could be any obscure name..

--
EJN

 

[EJN]

When you get your computer sorted (tried F-Secure yet?), you ought
to investigate using partition imaging software like Norton Ghost.
No more full installs, you can get back to a fully working system
in minutes with all your software asnd settings intact..

Steve -
Sorry to be late in getting back but you can imagine the time going on this...

I often wish I had such a thing...or better still knew how to use it !!! I know a fair bit on computers after nearly 40 years but believe it or not...NEVER had to or actually done a reinstall and am clueless on the whys/wheres.. Also have I said or is it known...I use laptops....and although a P4 3.06Gig , fact is with laptops you have less available and how-to-do than with desktops. I use an external LACIE 40Gig and have 60Gig on the laptop...adequate you may say...probably is...but I still don't know how to trust myself to doing a job I know nothing about...that's me...if I know it I'll do it...if I don't ...it scares me off..

EJN

 

[wymjym]

EJN,

We all live and learn. I had a system running for several years and then it went ‘bad’. (due in part to me not understanding what had caused the problem and then me just throwing proggies at it)

I did the format route ultimately and never got back all of the neat little tweaks that I had accumulated. I learned however!!!!!

I have installed on all of our systems a ‘mobile rack’. This is a fixture that allows you to slide hdd’s in and out (pre USB2 external drives). On my system my main hdd is a 160gig, I have three mobile racks 80gig, 60gig, 40gig. The 40gig is used for music only, the 80 and 60 are clones of my entire system (except for the music). I do a complete backup every two weeks swapping between these two larger drives. The worst thing that might happen to me at this point is that my system state might be two weeks old. After the initial cloning the time for this backup (as it is incremental) is generally less than 10 minutes.

I really understand your point about not wanting to reformat…and unless you have managed to really bugger it up (the OS/registry) I would try very hard to remove this malware. Btw…it can be done, you must believe that!
wj

Dave - this story has more twists and turns !!!
I was about to come back to you but first made a 'Permissions'
change on the Home Page entry in the Reg, just as a 'hope'.
Switched off, then on again to log this afresh (not sure if Reg
changes DO take place 'on the fly' ...however I got some sort of
'key' error message on restart (hopefully thinking because 'it' was
trying to change what it was now denied (???) ...but on logging on,
I clicked on Home and guess what - up comes Google !!
Still cannot believe it but daughter about to descend on us for a
very short visit on way back home - so probably going to be'off'
awhile, but if I may, I'll come back on and ask you about this
reinstall. Tell you now - as usual here - all I've got is a
bog-standard 'Recovery Disk' so it wuld go back to as it was Day 1
from the shop. Fat lot of good that is - don't you think ??? what
about such as the Win Updates and Lord knows what else, apart from
all progs..AND contents such as a multiplicity of PS Actions,
Plug-ins etc etc etc etc !!!!! I really DO hate to think of it..

EJN

Dave -
Back again as promised but best maybe if I refer you to my note
above somewhere in response to A.John (Andy) as that tells you in
brief summary what I've done with the Register...whether it will
affect anything I treally don't know...the blasted 'thing' is still
not to be found by ANYTHING fully, but I can say with pleasure that
I click on Google ...or rather 'Home' .. and up pops Google every
time now...good as gold.
At the moment I am getting an opening (after switch-on) little
error messsage about failed Reg Key or sommat but not sure if that
isn't triggered by one of the two 'LockHomePage' progs that I left
on....the thing is still trying...and THINKING it's done it ...but
it hasn't, with the 'lock' on in the Register Permissions . I'm
still persevering. Just run Pest Patrol but NOTHING. As this is
not a Trojan/Virus I wondered if such as a Pest prog might catch it
, but it doesn't...and I've found Pest Patrol to be good. So it
goes on...find the culprit .exe or whatever it is...but what to
look for without a clue ...??? Could be any obscure name..

--
EJN

 

[Don Spencer]

I had a girl in our office infested with spyware this morning,

I tried CWSweeper, which referenced me to HijackThis.

It worked like a charm!!

http://download.com.com/3000-8022-10227352.html?tag=lst-0-4

If spyware is hiding out in your computer, but your adware-removal program can't track it down, you need HijackThis. The tiny program examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of registry keys. Pressing the Scan button generates a log of dozens of items, most of which are just customizations, such as Google Toolbar. To learn more about an entry you don't recognize, you have a few options. Clicking Info on selected item tells you why the entry was flagged as suspicious, but not whether it's actually malware. To find that out, you'll need to search the Web for that item's name or go straight to a forum such as SpywareInfo or Computer Cops. Saving the log creates a text document you can post to these forums. The program installs into whatever directory in which you unzip the file, which can make it hard to locate. Don't check off an item and hit the Fix checked button unless you're sure it's malware, though--you can do damage. HijackThis is a serious tool for any user who needs to root out a serious infestation, but wield it with caution.

--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)

 

[EJN]

I had a girl in our office infested with spyware this morning,

I tried CWSweeper, which referenced me to HijackThis.

It worked like a charm!!

http://download.com.com/3000-8022-10227352.html?tag=lst-0-4

If spyware is hiding out in your computer, but your adware-removal
program can't track it down, you need HijackThis. The tiny program
examines vulnerable or suspect parts of your system, such as
browser helper objects and certain types of registry keys. Pressing
the Scan button generates a log of dozens of items, most of which
are just customizations, such as Google Toolbar. To learn more
about an entry you don't recognize, you have a few options.
Clicking Info on selected item tells you why the entry was flagged
as suspicious, but not whether it's actually malware. To find that
out, you'll need to search the Web for that item's name or go
straight to a forum such as SpywareInfo or Computer Cops. Saving
the log creates a text document you can post to these forums. The
program installs into whatever directory in which you unzip the
file, which can make it hard to locate. Don't check off an item and
hit the Fix checked button unless you're sure it's malware,
though--you can do damage. HijackThis is a serious tool for any
user who needs to root out a serious infestation, but wield it with
caution.

--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)

Don -

HiJackThis - LOVE IT!! .. had it on for some months since my grandson had a problem which I sorted out with this...but on MINE...ziilch ! It certainly shows very well indeed the offfending 'wrong' HOME page site...about 5 entries...but doing a 'Fix' on those , whilst it clears them, if you just close HiJack then immediately re-open...they're there again, large as life. NO USE at all in clearing. Tried my CWShredder (of old) then luck but found from this thread that I needed the latest ver 1.57. Got that - ran it ...guess what...."you have a clean system" - HAH!

I'm still trying to pin it down but in a couple of other posts here I've related what I've done in the Register and this so far stops it changing the HOME page. Seems there are UMPTEEN variants..I think I'm lucky to have one that is less damaging..just so far acting on the Home page, but I seem to have stopped that...famous last words??????????

Watch this space as they say..

EJN
--
EJN

 

[shanley]

I had a similar problem back in september.......it was probably the same thing. It was some web search, possibly cool web search. Here was my thread.

http://forums.dpreview.com/forums/read.asp?forum=1008&message=6213154

You have received much more of a response than I did. I was able to use spybot search and destroy to find the problem within a day and since then I have not had any problems.

Sure hope someone's tips give you a break on the deal and you fix the problem I know it is such a pain. Mine acted differently than yours. Instead of making it a homepage. I would have a pop up for that same site come up over and over again.
--
Shanley
C-21OO
http://www.pbase.com/shanley (supporter)

 

[Don Spencer]

I don't like to give up on a challenge like this, I'm convinced that as long as you can track down how this scumware keeps reinstalling, you should eventually get if fixed.

I learned something today in fixing a comprimized PC, after using msconfig to turn off anything you don't need, and uninstalling anything fishy through add/remove programs, I used control panel to access Internet options to reset the Internet start page to a blank page. I thought that would do it, but somehow, one of the Shortcuts to Internet Explorer STILL launched the bad browser again, and in reinstalled everything all over again! grrrrrrrrrrrr..... did it again, msconfig to look at the start up, add/remove programs, and this time, I deleted all the desktop shortcuts to Internet Explorer. I reset the browser start page from control panel, then ran a full virus scan using AVG. Next, ran spybot, cwsweeper, and hijack this. Hijack this found several wierd settings which I asked it to fix, so far, so good......
don't give up, a reformat is a last, last resort, you still may fix this.

There are some very good technical forums too, much more focussed on computer problems. I'd run the hijack this again, post the log to a tech forum, let them look it over. someone there ought to be able to get you over the final hump.

I had a girl in our office infested with spyware this morning,

I tried CWSweeper, which referenced me to HijackThis.

It worked like a charm!!

http://download.com.com/3000-8022-10227352.html?tag=lst-0-4

If spyware is hiding out in your computer, but your adware-removal
program can't track it down, you need HijackThis. The tiny program
examines vulnerable or suspect parts of your system, such as
browser helper objects and certain types of registry keys. Pressing
the Scan button generates a log of dozens of items, most of which
are just customizations, such as Google Toolbar. To learn more
about an entry you don't recognize, you have a few options.
Clicking Info on selected item tells you why the entry was flagged
as suspicious, but not whether it's actually malware. To find that
out, you'll need to search the Web for that item's name or go
straight to a forum such as SpywareInfo or Computer Cops. Saving
the log creates a text document you can post to these forums. The
program installs into whatever directory in which you unzip the
file, which can make it hard to locate. Don't check off an item and
hit the Fix checked button unless you're sure it's malware,
though--you can do damage. HijackThis is a serious tool for any
user who needs to root out a serious infestation, but wield it with
caution.

--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)

Don -
HiJackThis - LOVE IT!! .. had it on for some months since my
grandson had a problem which I sorted out with this...but on
MINE...ziilch ! It certainly shows very well indeed the
offfending 'wrong' HOME page site...about 5 entries...but doing a
'Fix' on those , whilst it clears them, if you just close HiJack
then immediately re-open...they're there again, large as life. NO
USE at all in clearing. Tried my CWShredder (of old) then luck but
found from this thread that I needed the latest ver 1.57. Got that

• ran it ...guess what...."you have a clean system" - HAH!

I'm still trying to pin it down but in a couple of other posts here
I've related what I've done in the Register and this so far stops
it changing the HOME page. Seems there are UMPTEEN variants..I
think I'm lucky to have one that is less damaging..just so far
acting on the Home page, but I seem to have stopped that...famous
last words??????????

Watch this space as they say..

EJN
--
EJN

--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)

 

[Jon_T]

...to read, go through the steps of "I think my computer is infected or hijacked. What should I do?" and post your results/symptoms in the the security forum I provided in my previous posts?

There are a lot of security professionals/gurus that will take the time to help people who's PC has been infected and/or hijacked.

If they cannot sovle your problems I doubt anyone esle can.

BTW, I understand not wanting to start from scratch on rebuilding your system. Also faced the same task 10 years ago when my hard drive died.

Since then I ALWAYS keep a current image of hard drive. No longer worry about having to FDISK/Format or replace hard drive.

 

[SteveB]

Interesting read at http://www.computercops.biz/postt44155.html

about correct usage of Hijack This in removing Cool Web Search. It seems to be a registry based trojan. My own (quick) interpretation of the Hijack This logs before/after fixing seem to indicate that any mentions of "ht tp: greatsearch.biz" in the registry are bad news. I've added some spaces in this web address so no one goes there by accident!

 

[Hooligans Imagery]

There is a program out there called startuplist.exe which prints to notepad all of your startup entries. You might want to find that, print it and send to one of the tech forums mentioned.

--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

 

[Don Spencer]

link to startuplist

http://www.spywareinfo.com/~merijn/downloads.html

look in the downloads list, this could be useful too

There is a program out there called startuplist.exe which prints to
notepad all of your startup entries. You might want to find that,
print it and send to one of the tech forums mentioned.

--
Stinson
C-750, D-40, B-300, Nikon 4T macro, PS CS
http://www.StinsonsTerra.StinsonsC750Gallery.PhotoShare.co.nz
http://www.photosig.com/go/users/view?id=64739

--
http://www.pbase.com/galleries/donald_spencer (pbase supporter)

 

[streetshot3]

if they can't solve this then no one can.

Click on forums, then register and ask away.

http://www.pcmech.com

 

[Gregg Humphrey]

Go here:

http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075329940/topic::Scumware,-Spyware,-Adware-&-Malware-Applications/

Well, guys, if nobody can come up with a solution I really think
this might be the last you hear from me - really ...
About 22 hours ago I foolishly logged onto what I knew was maybe a
dodgy site and in less than 1/2 hour I'd got 7 viruses.
Fortunately, most were of a nature that I sorted them out but right
now I'm plagued incessantly witrh this blasted 'Cool Web Search'
thing ...and CANNOT find a way to rid it - just changes my Home
Page EVERY time , even though I've done all in my power to stop it.
Had for years on my machines - AVG (excellent overall) - Triojan
Remover and Pest Patrol. Funnily , just a few hours before this
episode I d/loaded and setup Ad-Aware6. It found one or two things
but has done NOTHING to sort out the Cool Web Search thing. Got
'HiJackThis' which is a superb thing...it shows immediately the
entries giving this Cool Web page but although I clear them they
just auto return instantly. Got a super prog called CWShredder -
that found at first the 'AboutBlank' entry that had been popped in
, but within the last hour or two I've clearly done something and
CWShredder now tells me I've got a clean machine...which I haven't
of course.
Did NOT have before, Spybot, so d/loaded that this morning. It
found a few things but again done NOTHING to shift Cool Web ...and
in spite of numerous searches in Google , plenty of ideas on
shifting it but none work,.
This is on a two-month old new P4 3Gig laptop, on XP, my latest
pride and joy and have been piling tons of progs on it that I want
to use - NO WAY am I going to re-install to scratch and have to
start over again. Don't really know how to start and I don't know
where I'd find half the progs, keys etc to do that without a month
or more searches.
Frankly I'm just about fed up..spent 22 hours now trying to sort it
, apart from 6 hours restless night, and getting nowhere
I'd rather just give up the Internet if THIS is going to persist -
anyway, I believe that it can in fact open the door to allow
anything in ...so how on earth do I shift it after trying all this ?
Unlocked SysRestore just in case something was in there, nothing,
so I've now lost all my Restores too !!! and still no better off.
No problems in going into the Register but again, try as I may I
cannot find any clue as to WHERE is the kick-off...well, I DO find
the entry in 'Exolorer-Main' key , but that's obviously not where
it's triggered..as I change that but iyt just comes back.
It's thanks or gooodbye mates - I've about had it !

--
EJN

 

[Gregg Humphrey]

Go to the CyberScrub site:

http://www.pcwash.com/tracks-eraser/cool-web-shredder.html

Well, guys, if nobody can come up with a solution I really think
this might be the last you hear from me - really ...
About 22 hours ago I foolishly logged onto what I knew was maybe a
dodgy site and in less than 1/2 hour I'd got 7 viruses.
Fortunately, most were of a nature that I sorted them out but right
now I'm plagued incessantly witrh this blasted 'Cool Web Search'
thing ...and CANNOT find a way to rid it - just changes my Home
Page EVERY time , even though I've done all in my power to stop it.
Had for years on my machines - AVG (excellent overall) - Triojan
Remover and Pest Patrol. Funnily , just a few hours before this
episode I d/loaded and setup Ad-Aware6. It found one or two things
but has done NOTHING to sort out the Cool Web Search thing. Got
'HiJackThis' which is a superb thing...it shows immediately the
entries giving this Cool Web page but although I clear them they
just auto return instantly. Got a super prog called CWShredder -
that found at first the 'AboutBlank' entry that had been popped in
, but within the last hour or two I've clearly done something and
CWShredder now tells me I've got a clean machine...which I haven't
of course.
Did NOT have before, Spybot, so d/loaded that this morning. It
found a few things but again done NOTHING to shift Cool Web ...and
in spite of numerous searches in Google , plenty of ideas on
shifting it but none work,.
This is on a two-month old new P4 3Gig laptop, on XP, my latest
pride and joy and have been piling tons of progs on it that I want
to use - NO WAY am I going to re-install to scratch and have to
start over again. Don't really know how to start and I don't know
where I'd find half the progs, keys etc to do that without a month
or more searches.
Frankly I'm just about fed up..spent 22 hours now trying to sort it
, apart from 6 hours restless night, and getting nowhere
I'd rather just give up the Internet if THIS is going to persist -
anyway, I believe that it can in fact open the door to allow
anything in ...so how on earth do I shift it after trying all this ?
Unlocked SysRestore just in case something was in there, nothing,
so I've now lost all my Restores too !!! and still no better off.
No problems in going into the Register but again, try as I may I
cannot find any clue as to WHERE is the kick-off...well, I DO find
the entry in 'Exolorer-Main' key , but that's obviously not where
it's triggered..as I change that but iyt just comes back.
It's thanks or gooodbye mates - I've about had it !

--
EJN

 

[Inigo Montoya]

Amen. No help in this instance, but once a recovery (or rebuild) has been made, excellent advice to follow. I use a similar approach myself, combined with burning stuff to DVDs.

EJN,
We all live and learn. I had a system running for several years and
then it went ‘bad’. (due in part to me not understanding what had
caused the problem and then me just throwing proggies at it)
I did the format route ultimately and never got back all of the
neat little tweaks that I had accumulated. I learned however!!!!!
I have installed on all of our systems a ‘mobile rack’. This is a
fixture that allows you to slide hdd’s in and out (pre USB2
external drives). On my system my main hdd is a 160gig, I have
three mobile racks 80gig, 60gig, 40gig. The 40gig is used for music
only, the 80 and 60 are clones of my entire system (except for the
music). I do a complete backup every two weeks swapping between
these two larger drives. The worst thing that might happen to me at
this point is that my system state might be two weeks old. After
the initial cloning the time for this backup (as it is incremental)
is generally less than 10 minutes.

I really understand your point about not wanting to reformat…and
unless you have managed to really bugger it up (the OS/registry) I
would try very hard to remove this malware. Btw…it can be done, you
must believe that!
wj