Tip: Run a free scan for common Windows errors ad

re: wwwcoolwebsearch.msconfig Friday, October 29, 2004 at 9:08 pm Posted by James Hilke (24 messages posted) Have you tried the nesest version of collwebsearch shredder? The newest version is v2.0 and should get rid of the varient you have. You can get it here http://cwshredder.net/bin/CWSInstall.exe On Friday, October 29, 2004 at 8:48 pm, pat rhodes wrote: >spybot won't fix this....I've tried cw shredder...no luck...what next? help!!!! [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Friday, October 29, 2004 at 9:25 pm Posted by pat rhodes (78 messages posted) yes, I did. it says that it is not present...spybot says it is...who ya gonna believe??? On Friday, October 29, 2004 at 9:08 pm, James Hilke wrote: >Have you tried the nesest version of collwebsearch shredder? The newest version is >v2.0 and should get rid of the varient you have. You can get it here http://cwshredder.net/bin/CWSInstall.exe > > > [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Friday, October 29, 2004 at 9:30 pm Posted by Yap (4094 messages posted) do all full system scan in safe mode [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Friday, October 29, 2004 at 9:31 pm Posted by Yap (4094 messages posted) ...if the problem persist download FINDnFIX extract it to C:\ then run the "!LOG!.BAT" [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 8:52 am Posted by pat rhodes (78 messages posted) sorry..forgot how to get to safe mode and back..spybot says it's in the registry....can I delete it? On Friday, October 29, 2004 at 9:30 pm, Yap wrote: >do all full system scan in safe mode > > > > > [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 9:08 am Posted by Yap (4094 messages posted) To start the computer in safe mode Should let spybot do it for you... but it also can be a false positive alarm... Use hijack this to make sure of it. [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 9:29 am Posted by pat rhodes (78 messages posted) this says it's for winxp/s2..I don't have sp2...cqn I still use it? On Friday, October 29, 2004 at 9:31 pm, Yap wrote: >...if the problem persist download FINDnFIX >extract it to C:\ then run the "!LOG!.BAT" > > > > > [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 9:30 am Posted by pat rhodes (78 messages posted) I downloaded Hijack this.......I have no idea what to delete on the list.........how do you know? On Saturday, October 30, 2004 at 9:08 am, Yap wrote: >To >start the computer in safe mode >Should let spybot do it for you... but it also can be a false positive alarm... >Use hijack this to make sure of it. [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 4:25 pm Posted by Falcon (13489 messages posted) You may post the log here... The Wereotter [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 5:22 pm Posted by Yap (4094 messages posted) which part of it said it is for xp sp2? [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 5:23 pm Posted by Yap (4094 messages posted) Yes... copy the log and post back here [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 5:44 pm Posted by pat rhodes (78 messages posted) believe me, I'm not a blonde.....I read it thinking sp2, when actually it said win/2k.....duh..2000? How do I post the log? On Saturday, October 30, 2004 at 5:22 pm, Yap wrote: >which part of it said it is for xp sp2? [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 5:57 pm Posted by Yap (4094 messages posted) :) run hijackthis -> scan -> save log -> save -> select all -> copy -> paste to this forum reply's box if you have frontpage installed after copy the save log better you first paste it into frontpage -> click on the html's tab -> then copy all between < body > ... < /body > of html's tab (do not include the body and /body tags) -> just paste it to the forum reply's box... this way the message will be nice formated [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 7:09 pm Posted by pat rhodes (78 messages posted) Logfile of HijackThis v1.98.2 Scan saved at 8:32:05 PM, on 10/30/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\PV92Tray.exe C:\WINDOWS\System32\pctspk.exe C:\Program Files\Picasa\PicasaMediaDetector.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\CallWave\IAM.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\System32\cidaemon.exe C:\Program Files\IncrediMail\bin\IncMail.exe C:\Program Files\Avant Browser\avant.exe C:\Documents and Settings\Ralph Rhodes\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ev1.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ev1.net/english/index.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eznsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ev1.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Everyones Internet O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O4 - HKLM\..\Run: [Windows System Manager] winsystem.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector O4 - HKLM\..\Run: [fbdirect] C:\Program Files\ScanSoft\PaperPort\fbdirect.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.birdville.k12.tx.us/CFIDE/classes/CFJava.cab O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B61C5E-8337-4A8E-A26B-6C507BB30EDA}: NameServer = 209.63.0.6 207.173.86.6 On Saturday, October 30, 2004 at 5:57 pm, Yap wrote: >:) >run hijackthis -> scan -> save log -> save -> select all -> copy -> paste to this >forum reply's box >if you have frontpage installed after copy the save log better you first paste it >into frontpage -> click on the html's tab -> then copy >all between < body > ... < /body > of html's tab (do not include the body and >/body tags) -> just paste it to the forum reply's box... this way the >message will be nice formated > [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 7:22 pm Posted by Yap (4094 messages posted) Run again Hijackthis give a check mark to all in red  items to fix... do the same to the green in case you don't or no longer have relationship with the site: O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg SchedulerV2.exe O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.birdville.k12.tx.us/CFIDE/classes/CFJava.cab Search and delete all above files from windows explorer for the DPF you can found them in c:\windows\downloaded program files\ Read additional removal method from this site: http://securityresponse.symantec.com/avcenter/venc/data/trojan.treb.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EU http://www.pestpatrol.com/PestInfo/b/blaire.asp http://nl.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=65604&VName=TROJ_BANCOS.CR&VSect=O http://www.pestpatrol.com/pestinfo/p/powerreg_scheduler.asp   Common Steps of Virus - Trojan - Spyware - Mallware - Adware Removal 1. Turn off system restore, empty Temp and Temporary Internet Files folders, also Recycle Bin... 2. Run online virus scan at Trendmicro or Panda site 3. Update your virus definition and scan the system...     ◊ Download, install and update AVG or AntiVir in case you don't have anti virus software     ◊ Download last version of Stinger stand alone virus scanner 4. Download, install and update and run the fixer of CWShredder and CoolWWWSearch.SmartKiller removal 5. Download install and update Spybot, Ad-aware, and VX2cleaner plug-in for ad-aware 6. Run full system scan in safe mode with Stinger, Spybot and Ad-aware (run the VX2cleaner scan first) 7. Download install and update Spywareblaster, one of firewall Zonealarm / Kerio and DCOMbobulator for extra protection 8. If the problem persist download HijackThis and send the report log back to this forum 9. Turn on system restore Note: All above software are free for personal use When email address needed for registration some site not explicitly but deny hotmail account probably occur to all free base email addresses [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 7:47 pm Posted by Falcon (13489 messages posted) Fix these entries in HijackThis, then reboot immediately: O4 - HKLM\..\Run: [Windows System Manager] winsystem.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.birdville.k12.tx.us/CFIDE/classes/CFJava.cab O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/imloader.cab Post another log. The Wereotter [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 9:27 pm Posted by pat rhodes (78 messages posted) Logfile of HijackThis v1.98.2 Scan saved at 11:23:04 PM, on 10/30/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\System32\PV92Tray.exe C:\Program Files\Picasa\PicasaMediaDetector.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\CallWave\IAM.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Documents and Settings\Ralph Rhodes\Desktop\hijackthis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Avant Browser\avant.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ev1.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ev1.net/english/index.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eznsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ev1.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Everyones Internet O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector O4 - HKLM\..\Run: [fbdirect] C:\Program Files\ScanSoft\PaperPort\fbdirect.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll On Saturday, October 30, 2004 at 7:47 pm, Otter wrote: >Fix these entries in HijackThis, then reboot immediately: > >O4 - HKLM\..\Run: [Windows System Manager] winsystem.exe >O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe >O4 - HKLM\..\Run: [Microsoft Updater Resources] Win32Fixer.exe >O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE >O4 - HKLM\..\RunServices: [Microsoft Updater Resources] Win32Fixer.exe >O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE >O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe >O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe >O4 - Startup: PowerReg Scheduler V3.exe >O4 - Startup: PowerReg SchedulerV2.exe >O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe >O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB >O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.birdville.k12.tx.us/CFIDE/classes/CFJava.cab >O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB >O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab >O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/imloader.cab > >Post another log. [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 9:39 pm Posted by Yap (4094 messages posted) have you tried my suggestion http://www.annoyances.org/exec/forum/winxp/1099189374 ? other than that are legitimate processes/files ... dont forget after hijackthis scan give a check mark iinfront of every listed items i've writen there... then click fix button and click Yes when hijackthis ask after restart the computer try to scan one more time to make sure all fixed item not coming back [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 10:05 pm Posted by pat rhodes (78 messages posted) I've tried it all..still got wwwcoolsearch.msconfig....can I live with this? What will happen if I can't get rid of it? On Saturday, October 30, 2004 at 9:39 pm, Yap wrote: >have you tried my suggestion http://www.annoyances.org/exec/forum/winxp/1099189374 >? other than that are legitimate processes/files >... dont forget after hijackthis scan give a check mark iinfront of every listed >items i've writen there... then click fix button and click Yes when hijackthis ask >after restart the computer try to scan one more time to make sure all fixed item >not coming back [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 10:53 pm Posted by Yap (4094 messages posted) Soon or later this crap will destroy your system... Let me repeat it all to make sure you are not miss some procedure : First turn off System Restore , empty Temp , Temporary Internet Files and Recycle bin folders Second Run hijackthis -> scan -> and give a check mark in front of every items below -> click "fix checked" O4 - HKLM\..\Run: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKLM\..\RunServices: [Windows System Manager] winsystem.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg SchedulerV2.exe O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.birdville.k12.tx.us/CFIDE/classes/CFJava.cab Third search in C:\ for every files above (suchost.exe ; win32fixer.exe ; winsystem.exe; powerreg scheduler v3.exe ;  powerreg schedulerv2.exe ; dd_v4.cab ; cfjava.cab) and delete them all Fourth follow every removal instruction for files and registry key from below site http://securityresponse.symantec.com/avcenter/venc/data/trojan.treb.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EU http://www.pestpatrol.com/PestInfo/b/blaire.asp http://nl.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=65604&VName=TROJ_BANCOS.CR&VSect=O http://www.pestpatrol.com/pestinfo/p/powerreg_scheduler.asp Then restart computer. Fifth follow every step below instruction from the first to the end, do not forget to get the very last version of below software... click the link will bring you to download the latest software Common Steps of Virus - Trojan - Spyware - Mallware - Adware Removal 1. Turn off system restore, empty Temp and Temporary Internet Files folders, also Recycle Bin... 2. Run online virus scan at Trendmicro or Panda site 3. Update your virus definition and scan the system...     ◊ Download, install and update AVG or AntiVir in case you don't have anti virus software     ◊ Download last version of Stinger stand alone virus scanner 4. Download, install and update and run the fixer of CWShredder and CoolWWWSearch.SmartKiller removal 5. Download install and update Spybot, Ad-aware, and VX2cleaner plug-in for ad-aware 6. Run full system scan in safe mode with Stinger, Spybot and Ad-aware (run the VX2cleaner scan first) 7. Download install and update Spywareblaster, one of firewall Zonealarm / Kerio and DCOMbobulator for extra protection 8. If the problem persist download HijackThis and send the report log back to this forum 9. Turn on system restore Note: All above software are free for personal use When email address needed for registration some site not explicitly but deny hotmail account probably occur to all free base email addresses It is also necessary to run cwshredder v.2.0 and coolwwwsearch.smartkiller removal tool in safe mode [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Saturday, October 30, 2004 at 10:58 pm Posted by Yap (4094 messages posted) http://www.annoyances.org/exec/forum/winxp/1099202018 [Reply or follow-up to this message] re: wwwcoolwebsearch.msconfig Sunday, October 31, 2004 at 12:17 am Posted by Ms. Eagle (33507 messages posted) Pat, you need to get rid of this trojan. It's a serious security risk. Treb trojan: a trojan that gives remote access to your system using listening proxy servers. You can also uninstall all instances of either of these listed in Add/Remove programs: PowerReg Scheduler and BackWeb. Additionally, if there's anything suspicious, or something you didn't install yourself, remove it. Note the first two 04 entries? Those are trojans, nothing to do with MS. Log off and close ALL open windows. Run HJT. Select these items. Choose Fix checked. Reboot into SAFE MODE. O4 - HKLM\..\Run: [Microsoft Updater Resources] Win32Fixer.exe O4 - HKLM\..\RunServices: [Automatic Microsoft Windows Updater] SUCHOST.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? Make sure all hidden files are showing: How to Show System Files Run a search for these files and delete them: Win32Fixer.exe SUCHOST.EXE Problematic Windows app: mdm.exe Clear out ALL temp folders, while still in safe mode. Internet Options - delete TIF and choose 'delete all Offline content'. Empty C:\Windows\temp folder and C:\temp folder, if you have one. XP-> C:\Documents and Settings\username\Local Settings\Temp (for all users). Empty Recycle bin. Reboot into Normal mode. Then please run HJT again and post the New log, and someone will check it out. P.S. In the meantime, if you don't have Spyware Blaster installed, I suggest you do that, download updates then enable protection. Dealing with Unwanted Spyware and Parasites [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum