HELP HELP HELP with coolweb trojan removal.. tried all..

Hello.
I've been trying to remove Cool Web Search for days, and ran all the ad-aware, cwshredder and co stuff, and nothing worked.
I read that I could find the name of the dll which is creating all the problems by installing reglite, going to the windows folder and look in the AppInit_DLLs folder, and if there is a .dll value in the last field, that's it.
I have it, and the name is "c:\windows\system32\loggjha.dll". They suggested how to remove this thing (I'll give you details if you want), but I couldn't do that. It keeps coming out, even though I think I've removed it. If I go to the c:\windows\system32 directory, that dll never shows up, but if I reopen reglite, it's there again.
Did you ever hear of this suggestion? Other people said that removing the dll there worked for them.
Now, I ran Hijck this, and this is my log file.

Logfile of HijackThis v1.97.7
Scan saved at 15.40.44, on 03/05/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\Winamp\Winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\internat.exe
C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programmi\stickies\stickies.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Yahoo!\Messenger\YPager.exe
C:\Programmi\AIM\aim.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\XX\Impostazioni locali\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkj.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C27ED33D-92E2-4F05-B6AE-B23AC1844ABC} - C:\WINDOWS\System32\egkj.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Stickies.lnk = C:\Programmi\stickies\stickies.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Programmi\Navnt\NAVAPW32.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .it/search?q=spettroscopia+Uv-Vis&ie=ISO-8859-1&hl=it&btnI=Mi+sento+fortunato&lr=: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7F8B067-9B9D-4491-87F1-9AFD30ED28DF}: Domain = ch.unito.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7F8B067-9B9D-4491-87F1-9AFD30ED28DF}: NameServer = 130.192.119.1,192.84.137.1

Can someone help me?
I'm really worried, because if I run some programs, now the CPU gets completely filled without any reason, and I can't connect anymore to spyware web page, and I cannot update windows (I didn't have Service Pack 4).
I'm really unhappy.

Thanks a lot.

 

Hi desp,

The dll is hidden and it needs to be removed.

Several methods are described in this post using CopyLock or Reglite:
https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

Not sure what you already tried, so have a look. If you have any questions let us know.

Regards,

Pieter

 

Hello,
thanks for your quick answer. I went through that file. I did all the Reglite stuff and did not work (the renaming and so was never able to make the dll visible).
I wanted to try in the other way, but I'm stuck at the first step
I download the Xfind.zip tool and then I click on find.bat, but it create a file.txt file saying that Xfind command is not recognized.
Am I doing somehting wrong?
Thanks..

 

And find.bat and Xfind.com are in the same folder?

Regards,

Pieter

 

Ehm..
I did go there already.
It doesn't allow me to install the Service Pack 4! I do the scan for update, select it, and after a few seconds it should begin to install it, it says that 'an error occurred' and nothing else. That's why I was so scared..

 

To Pieter:
yes, they are. I created a folder for them.