Does anyone know how to remove this shit?!?! I've tried everything. CWShredder, Pest Patrol, Spy Sweeper, Ad-Aware SE, Spybot, Spyware Doctor, HijackThis...etc...and nothing gets rid of it. This is the toughest spyware I've encountered and nothing cleans it completely. It puts some entries in the host file, but once your remove them, they appear again. I've had to reimage 3 machines in the past 2 days due to this. Anyone know?
Spyware help! CoolWebSearch
Collapse
X
-
-
Re: Spyware help! CoolWebSearch
From a friend of mine, worked for me:
This is one of the most insidious pieces of software I have ever dealt with. This information is provided without warrantee to help others. Follow these instructions at your own risk.
------------------------------------------
To fix this, I used the following tools:
Spybot Search & Destroy
BHOdemon
Registry Editory
-------------------------------------------
-------------------------------------------
You also will need some knowledge about:
Windows file version properties
Windows command prompt
Windows processes
Booting in safe mode
--------------------------------------------
Time and patience (I did it from start to finish in 3 hours).
Spybot Search & Destroy - this is an excellent piece of shareware (free although I made a donation to the developer thru paypal). I recommend you download it from www.download.com. Some web sources actually point you towards other non-free pieces of software or spyware. I used Spybot S & D to notify me and prevent unwanted registry changes. It's a good piece of software to run in general to handle spyware. Make sure to run version 1.3. If you currently have 1.2, I recommend that you uninstall and install 1.3 as 1.2 does not upgrade to 1.3.
BHOdemon - regardless of the lousy name, it monitors BHO's (BHO's are Browser Helper Objects) which allow other pieces of software to be extensions of Windows facilities such as Internet Explorer (IE - Web browser) and Windows Explorer (WE - file browser). These BHO's run in the background and can help (or hurt you). You can download BHOdemon from http://www.definitivesolutions.com/bhodemon.htm. It is an ulgy site and I was hesitant to load it on my machine at first, but since the computer was already pretty screwed up, I figured I had nothing to lose.
You can read some articles about this software by going to http://groups.google.com and typing in BHODemon). Here is one article that may help alleviate some of your concerns.
How does this thing work?
Easy question, hard answer. This evil thing launches multiple attacks against your computer. Here is what I've seen it do:
1) Loads a changing BHO so you can't just kill a single BHO (which is a DLL).
2) Has at least one deeply hidden startup entry in the registry.
3) Continually modifies values in the registry
4) Takes over your browser home page
5) Detects certain IE actions such as searching in IE for Spybot.
6) Detects certain WE actions such as deleting one of its own files
7) Adds 'bad' entries into the 'Add/Remove' control panel applet
What does it do?
It appears that its intent is to direct users to sites that they own (e.g looking-for.cc). When doing certain searches, you are either re-directed to their own search page or their search page will pop-up. Also, I have heard it does send you to porn sites. Additionally, it caused my machine to run really slow and seemed to kill programs (such as notepad) when I was searching for its pieces. This is one smart and adaptable program. In fact, the closer I got to killing it, the deeper it tried to infiltrate my machine. Also, running and killing windows that use BHO's such as IE and WE seem to trigger it to dig deeper into your computer. Don't open and close windows more than necessary while trying to clean your computer.
How to kill it?
First, make sure to install Spybot S & D version 1.3 and some type of BHO monitoring tool such as BHOdemon. Spybot will report to you when changes to the system registry are made and BHO demon will alert you to BHO's that are running. Make sure to say no to all registry changes that add entries you do not recognize.
Shut down all instances of IE and have only a single WE window open. Do not under any circumstance use the control panel add/remove programs option to try to uninstall this program. It will only make it worse.
This thing creates programs with 5 character names such as sdhlv.dll. Anything named like this is suspect and needs to be eliminated.
Press ctl-alt-del and bring up the task manager. Look for strangely named processes such as wincy.exe and kill them. If you don't know about a process, do a search from http://groups.google.com on the name (preferably on a second computer). If you get no results about it being a known process or a process that is a part of this malware, kill it. It is important that you get them all at this point. If you kill too many, the worst you will have to do is restart your computer - nothing will be broken permanently.
Running BHOdemon will show you the currently running BHO's. I had 2 running by default but you may have more. Ones that are ok are part of the acrobat reader from Adobe, part of the Symantec/Anti-Virus suite, IEZ.DLL which is part of BrowserPlus LoginManager (www.browserplus.com). Offending BHO's will have a random 5 character name (e.g. qdefl.dll). Clear the checkbox next to these bad boys and they will stop running.
Now you need to start deleting bad files. All the files are located in 3 directories (C:\Windows, C:\Windows\System and C:\Windows\System32). The files are typically all small less than 100K and have the same file character file with either a .dat, dll or .exe extension. Almost every good DLL or EXE will have a version tab with a company name and file version (right click on the file name, select properties or just mouse over the file name and a tooltip box will pop up. They will all be recent dates (mine were all post 6/1/2004). Since no new software was installed since 6/1, I knew that I could kill all of them. I did get aggressive with the .dat files and did need to re-install Norton anti-virus in addition to re-activating Windows XP (2 times) so you may do some damage, however its better than an fdisk You will note that some files will not delete. Take note of these file names and locations.
Now comes the dangerous part. After you have gone thru all 3 directories, run the registry editor (start/run/regedit). You will want to search for the file names that could not be deleted and remove those entries from the registry. Also, go into the hive HKLM/Software/Microsoft/Internet Explorer/Main. You will see some weird entries such as 'Search Page' set to something like 'res://mueck.dll/index.html#42052' (mueck.dll was what alerted me that this was a bad entry).. Delete all entries like that. They will not hurt anything serious and usually just fix themselves. Next go into Start/Control Panel/Internet Options and change the home page to something standard like www.yahoo.com.
Also, look in HKLM/Software/Microsoft/Shared Tools/MsConfig for any 5 character dll or exe (e.g. sdhlv.exe) and delete any references to these files.
Restart the machine and boot in command prompt mode (press F7 while restarting). You will want to perform the file delete again. This will get the ones you couldn't get to before. Once the prompt starts enter the following highlighted text:
C>CD \Windows
C:Windows> dir /O ?????.dll - this will show all the 5 character .dll files in date order
Figure out which ones to delete based upon the file name, size and date and delete them.
C:Windows> del a????.dll - this will delete all 5 character files that begin with the letter 'a'. I was able to delete all the offending files by typing 'del ?????.dll'. You may be able to do the same, just make sure you don't delete any dll's that are needed by other programs. Certainly anything created today is highly suspect and probably ok to delete.
Do the same thing for all .exe and .dat files and repeat in the system and system32 folders
Also, make sure to delete the locked files. My whole system was hinged on a single file C:/Windows/javaio32.dll. Once I deleted this file, things were fixed.
I did have to do some of the steps more than once but I was trying to figure out the fix. Hopefully you won't have to do that.
Once done, type exit and restart the computer. When it start, go into control panel/internet options and reset the home page to www.yahoo.com in case it was changed. In the control panel/ add/remove programs, look up the names of the suspicious programs. Then run regedit, look for the names and delete the entries. This will remove them from the add/program applet.
Since I don't have (or want another infected computer), I have not been able to try this a second time from scratch. Hopefully this will work for you.
Good luck.
MarkA good shower head and my right hand - the two best lovers that I ever had.Comment
-
shoot me an email address and I'll email you a solution. I've dealt with it at work, and found something that's worked a few timesComment
-
Re: Spyware help! CoolWebSearch
Use Spy Sweeper by Webroot. Gets rid of mostly everything.My Top 5 Tunes Of The Moment:
Beckers - Fake (Greg Churchill Remix)
4Mal - Twilight
Formulate - The Voice Of Qi
Mat Leutwyler & Jason Suzuki - The Contended Gastronome (Kosmas Epsilon Remix)
Classic Tune: Djum Djum - DifferenceComment
-
thanks for the informative post.
I've been wrestling with this POS for a little bit now myself...I'm on the upside now
also NOTE : Run your Ad-aware and Search&Destroy while in Safe Mode. Much more effective that wayComment
-
-
Re: Spyware help! CoolWebSearch
I'm fighting with this damn thing right now. I'll tell ya...I've never had this much trouble with spyware before...the thing is like a cockroach.
Agree on the ball shave.Comment
-
Comment
-
-
Re: Spyware help! CoolWebSearch
Try these guys...they are indepth about this crap.
Got many programs and other good bots that help with it. I had to wipe my hard drive just to get rid of this crap!Comment
Today's Birthdays
Collapse
[ms] Statistics
Collapse
Topics: 191,717
Posts: 1,236,858
Members: 53,129
Active Members: 74
Welcome to our newest member, newiron009.
Comment