I have the lucky search hijack. I have tried cwshredder and spybot to rid it, but have had no luck. Here is my Hijack this log file.
Will you tell me what to remove? Thanks. You all are great!

Hi booshwah,

Welcome at Wilders. :)

Did you create and implement C:\WINNT\Web\tips.ini as a stylesheet yourself?
If not, could you please open that file in notepad and post it´s content in your next post please?

Regards,

Pieter

I didn't create it. Here is the text. I hope this is what you are looking for. Thanks.

Hi booshwah,

Thanks. There is another mistery in your log:
C:\WINNT\System32\soundmx.exe
Can you find that file and check it´s properties?

For the time being in IE, click Tools > Internet-options > General tab > Accessability > uncheck the stylesheet option

Regards,

Pieter

It looks like an older executable. I have attached a screenshot of its properties. Also I have unchecked stylesheet option.








Made the attachment a bit smaller

Hi booshwah,

Could you reboot and make a new HijackThis log please?
And mail C:\WINNT\System32\soundmx.exe to the address in my profile please?

Regards,

Pieter

Here is the new log file. The file you requested should be to your mail shortly. Thanks again.

Hi booshwah,

Are you noticing what I´m noticing?

I´m afraid we have discovered a new variant of CWS here.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?uyoqs about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?uyoqs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?uyoqs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?uyoqs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?uyoqs (obfuscated)

O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe

O19 - User stylesheet: C:\WINNT\Web\tips.ini
O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

Then reboot again and let me know if I guessed right.
Please mail me C:\WINNT\hh.htt as well.

Regards,

Pieter

You're good. That seems to have gotten rid of it. Thanks. You guys are great!!!!!!! ;

Also I think you are probably right about the new variant thing. I had the global finder hijack not too long ago and cwshredder wiped it out and this time it didn't work. Tried many things that didn't work. I'm glad I stumbled across you guys. Thanks again. I can't believe your responses are so quick!!

Hi booshwah,

Glad we could help.
When I smell CWS I'm faster then a leopard. ;)

I have not received any files yet. You did send them, right?

I would like to get this added to CWShredder as fast as possible.

Regards,

Pieter

would like to say boos,
wilders really is a place to get help to giv help.. i was seeing the post when i cam across new variant.. i just made a note of it... pieter is great in analysing hijack
good luck yall

I did send the soundmx.exe to your email several minutes ago. I can't find the C:\WINNT\hh.htt you requested though. I see a hh.exe and a "folder.hht" but thats it. When I run the C:\WINNT\hh.htt from the run command with notepad, I get some info there. Any advice on finding the file? Let me know if you didn't receive soundmx.exe and I will resend it as well. Thanks.

I don´t think you can run a .htt that way.

I think HijackThis destroyed it. No problem as long as I get soundmx.exe. I think I can generate as many hh.htt´s as I want.

It could take a while until I receive it. I´ll report back if I haven´t got it in a half hour from now.

Thanks for helping out.

I have found two more people with the same hijack in the meantime. >:(

Regards,

Pieter

Pieter,

If you are still looking for that soundmx file, it probably came to your email with a sender name of "Burm metcuf" instead of booshwah. Hope this helps. Thank you.

Hi booshwah,

I received it in the meantime and forwarded it to the anti-spyware industry.
As far as CWS goes this one is relatively harmless. All it does is hijack the start- and search pages and add two stylesheets.
Thank you for submitting that file. :)

Regards,

Pieter

Hi booshwah,

Could you please download, unzip and run CWShredder (http://www.spywareinfo.com/~merijn/files/cwshredder.zip)
Make sure you have version 1.36.0
This will remove anything we left behind.

Regards,

Pieter