# CoolWebSearch Problems

Discussion in 'adware, spyware & hijack cleaning' started by lunchboxen, Jun 22, 2004.

Not open for further replies.
1. ### lunchboxenRegistered Member

Joined:
Jun 22, 2004
Posts:
2
Seems I've been hijacked by the coolwebsearch spyware program. I've run Ad-Aware 6 and Spybot S&D numerous times, each time it still finds problems. Firstly, Each time I scan with Ad-Aware 6, it seems to repetitively find registry entries related to "possible browser hijack attempts" as well as A single file each time, listed in my System32 folder related to the CoolWebSearch program. I've run both spyware programs numerous times, and it does not seem to rid me of this problem. Below I have posted my HJT log, in hopes that someone may be able to help me. From reading the log myself, I do not notice anything out of the ordinary. However, each time I reboot my computer, or after a couple of hours go by, new registry entries appear in the log file. Regardless, below is the log, after cleaning by both Spybot and Ad-Aware. A second problem I have is a puzzling one. I also run Spybot S&D's resident program. Basically, it watches for important registry entry changes, and allows me to either block or allow them. Now, evey time it asks me to change these settings, ( usually upon exiting IE, or sometimes randomly) I ALWAYS press "Remember this decision" and "Deny change". However, these changes STILL take place. As puzzling as this is, I look forward to help from some of you more knowledgable folks. Thank you in advance for your help.

Logfile of HijackThis v1.97.7
Scan saved at 2:45:44 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKLM\..\RunOnce: [AOLToolbarDirRemoval] cmd.exe /C rd "C:\Program Files\AOL Toolbar"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.8.5.21/popfu/popfu-ob-assets.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37655.7363657407
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

Again, Thank you in advance for helping me with this ongoing and perplexing issue.

Andrew

2. ### lunchboxenRegistered Member

Joined:
Jun 22, 2004
Posts:
2
Well, it seems I've solved the issue myself. Thank you for NOT getting back to me in any sort of timely fashion. I suppose as I did not bump my own thread in a desperate manner, I shouldn't have been noticed, and it is my own fault. Oh well. GG WS... Hope to never see you again.

Joined:
Aug 10, 2002
Posts:
17,927
Location:
New England
lunchboxen,

I am happy that you were able to resolve your problem on your own, after all getting a problem fixed is what it is all about. However, that is a pretty rude post you've just made here.

If you haven't noticed, there are a very large number of hijack logs here and the people who volunteer their time to work these can't always get to them all quickly. Sometimes it does indeed take a day or two. Your post was less than 24 hours old, and it just hadn't been reached yet.