Hi, I wonder if anyone can help me? I have run Ad-Aware and Spybot scans, several anti-virus scans, Hijack This and CWS Shredder, but none of them have found anything.

I keep getting links to ntsearch appearing in posts on my new message board. I closed down my old boards because of this thinking it was their server to blame, but obviously not because my new boards are being hosted by a different server.

Here is an example from a post on my message boards. The longer the post, the more links to ntsearch.
---------------------------------------------------------------------

Hi Lisa! I have made you a moderator for the UK Forums and UK <a href="http://www.ntsearch.com/search.php?q=Music&v=56">Music</a> Artist Forums!

<a href="http://www.ntsearch.com/search.php?q=Love&v=56">Love</a> Isabel xxx
--------------------------------------------------------------------

Can someone help me get rid of it? Please? :'(

Hi cherrycola, and Welcome to Wilder's! :)

Did you run CWS with all browser windows closed? If not, please follow the directions provided here (http://www.wilderssecurity.com/showpost.php?p=242304&postcount=2).
ntsearch is a variant of the CoolWebSearch hi-jacker. Let see if this clears up the issue.

If you need a fresh copy of CWS, use the MajorGeeks site.....

GF

Hi again and thanks for your help. I downloaded a fresh version of CWS Shredder and clicked on 'Fix'. It found nothing, so I re-booted and scanned again. It said that CoolWebSearch had not been found on my system.
I installed SpySubtract and ran it on the thorough scan. It found 2 infected registry keys and 1 infected file. They were from when I installed Kazaa. I removed Kazaa immediately after installing it because of the adware and BHOs it installed with it!

There is nothing else showing on my computer. I've started wondering about the ntsearch links, though. They have all been in posts from the same person on both my message boards. The links appear when she quotes someone elses post. Could it be possible that her computer is infected with CoolWebSearch? ???

In control panel, open add/remove programs and look for any of these.....
MediaLoads Enhanced, DownloadWare, WindowEnhancer, New.Net, or WhenUSave.

GF

Yep, I closed down my other forums thinking the server was infected. I opened the new forums with a different server yesterday. The person whose posts contain the ntsearch links joined today and she quoted me in her first post and the ntsearch links appeared again!

I've just opened up Task Manager and there's no sp.exe listed.

Please look above at previous post (time insertion error). Thanks.

GF

No none of them in add/remove programs. A while ago Pest Patrol found WhenUSave on my computer and deleted it.

Whats the operating system you're on?
Your anti-virus program?

GF

I've got Windows XP Service Pack 2. My anti-virus program is Kaspersky Personal 5.0. I did a full scan this evening. It checked nearly 203,000 files and the result was clean. It was last automatically updated at 8:00pm.

203,000 files! :o

Hi again CC, do you use a "hosts" file?
Could you open a run box, then copy and paste this line in if windows is on your C drive....

c:\Windows\system32\drivers\etc

otherwise, alter path to suit. Then open with notepad (if windows says it can't, choose notepad from the program list).
You're looking for any reference to CoolWebSearch. If you don't use a hosts file,
it should look something like this.....

-{ Quote: "http://img4.exs.cx/img4/5804/a3-Capture9-27-2004-.gif" }-
Hang in there CC, we'll get this worked out. ;)
Just trying to avoid getting ahead of myself.


GF

Hi again, I copied and pasted the Host file info. I removed the Benign program months ago, but it is still showing as B9.

=========================================================

# copyright (c) 1993-1999 microsoft corp.
# this is a sample hosts file used by microsoft tcp/ip for windows.
# this file contains the mappings of ip addresses to host names. each
# entry should be kept on an individual line. the ip address should
# be placed in the first column followed by the corresponding host name.
# the ip address and the host name should be separated by at least one
# space.
# additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# for example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
# Begin B9
##127.98.9.1 b9.127.0.0.1.b9
#127.98.9.2 b9.127.0.0.1
# End B9
========================================================

Hang'in in there CC? ;) OK, no worries there.

I'd like you to have another go at this post (http://www.wilderssecurity.com/showpost.php?p=242304&postcount=2) showing hidden files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and system restore disabled (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam).
Then re-run HJT (from it's own folder on the C drive), again with all windows closed and saving the log file.

I'll point out at this time I'm not qualified to assist any further as Wilder's no longer provides HJT analysis.
You may copy and paste your logfile here (http://www.hijackthis.de/index.php?langselect=english) and here (http://www.help2go.com/modules.php?name=HJTDetective) for self reference. I would suggest seeking expert analysis from
one of the legitimate sites listed here (http://asap.maddoktor2.com/).

*Please keep in mind both CWShredder and HJT are powerful programs capable of damage improperly used.

Should you decide to have HJT (tutorial (http://www.spywareinfoforum.com/~merijn/htlogtutorial.html)) "fix" anything....please empty the recycle bin and do so in safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)
with proper back-ups (alternative safe mode (http://www.theeldergeek.com/repairing_windows_xp.htm), scroll to red letters). Remember to unregister any DLL files targeted
for deletion with regsvr32.

If you need the latest version of HJT at ver1.98.2.exe, direct download here (http://www.wilderssecurity.com/supportfiles/HijackThis1982.exe).

Further information on tools, techniques, and links provided by Blackspear here (http://www.wilderssecurity.com/showthread.php?t=50662).
If you're using IE as your browser, I would strongly recommend IE SPYADS (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD).

Online trojan scan at this address.....http://www.windowsecurity.com/trojanscan/.

Pest report here (active content enabled).....http://www.doxdesk.com/parasite/

Any further questions or to update you're status are welcomed. 8)
Please feel free.....


GF

Hi again, I've FINALLY sorted it out! It was on one of my message boards members computer, there's why ntsearch links kept appearing when she was quoting other people's posts. I put up a topic asking everyone to check for ntsearch and I provided the link for the uninstall tool from ntsearch.com. The member with the affected computer said that it told her it had been removed and to reboot her computer.

Thanks for all your help and advice! :)

It 's good to learn a thing or two every day :D :P ,
seems I missed out on the "key clue" in your very first post there cherrycola.....-{ Quote: ""I keep getting links to ntsearch appearing in posts on my new message board."" }-You sure brought out the obvious....maybe you could help me sometime! ;)

I'm truly happy :) to hear someone got it all sorted. I ~ hands clapping ~ your splendid idea for reaching a resolve.
I wasn't sure what happened to you as it's been awhile, but I'd like to thank you personally for making it back with
a solution that may prove useful for others in the future. 8)

Now if you'll please excuse me....
I have an appointment with both my optometrist and comprehension counselor! ;D


Best cherrycola,
GF

Hi cherrycola,

-{ Quote: "It was on one of my message boards members computer, there's why ntsearch links kept appearing when she was quoting other people's posts. I put up a topic asking everyone to check for ntsearch and I provided the link for the uninstall tool from ntsearch.com." }-I wish I had noticed this thread a little sooner and I could have saved you a little work. We have had the same problem here with a couple of posters and it has always been their system was infected. I am glad you got it sorted out and fixed ;) ...