i need a computer genius

pokermonkey

hey,i hpe im in the right place here.

right, im not a novice at removing spyware as ive done it successfully about 10 times in the past. but im at my tethers end. ive tried everything i can think of!!!

i have, and use: spyware doctor, zone alarm, adaware, microsoft anti spyware, counterspy, spybot, xoftspy, and cwshredder.

i use all these in safe mode and have tried deleting the relevant registry keys, and what .dll files i think are relevant, but still this fecker keeps respawning.

they're all CWS (coolwebsearch) varients some with a misterhop tag, and they all keep coming back when i go online. even with all the blockers in place.

so my question!

CAN ANYONE HELP ME!!!!!!! dear god please, before i throw this thing out the window.
all relevant ideas are gratefully welcome,
and all random stupid answer are too as long as they make me laugh. :-)
thanks in advance,
niall

ShiverinEskimo

You dont happen to use messenger plus by any chance - its an add-on for MSN messenger that lets you have extended msgs and the like - Well its all lovely until it installs the mysearch ****e..

I got hit the same a few months back - broke my balls trying to figure it out - messenger plus was the culprit in my case..

Also try using Firefox or Opera instead of IE if you can..

Ri_Nollaig

was it the most up to date version of cws shredder? have u tried firefox?

budrick

what antivirus u using ,? try downloading avast home edition (its totaly free),it should help plus look for spyware blaster and download it as well.. also get rid of microsoft antispy ,its spyware itself , it monitors everything you do on your pc .

Illkillya

What OS are you in? If in xp, do start -> run -> "msconfig" -> startup
see if theres anything suspicious starting up there that the scanners missed and disable it.

greglo23

you have to make sure system restore is turned off on all drives before deleting spyware/trojans as they hide themselves inside the protected archive. this drove me demented until i found out what was happening.

lkman

Try using Process Explorer, it won't get rid of the problem but it will give you a better idea what's brinding it back... it's like Taskmanager but 10x better.
http://www.sysinternals.com

It lists all programs plus everything each program accesses: handles, dlls, reg keys... Try doing a handle search: Find>Find Handle.

Good luck.

Airblazer

the best 100% way of getting rid of spyware is reinstalling the whole O/S. After this install from the window update site and also install microsoft antispyware. Also use Firefox as it stops a lot of spyware etc.(although recent research has shown it's only about as secure as IE in spite of all the hype..
If you don't want to do this..dwnload and install antisypware and do a full scan..also try adaware as well..both of these should remove all spyware between them..also make sure to turn off system restore and reboot before doing it.

smeggle

ok first off don't use i.e as your not getting anywhere. It's i.e. that collwebsearch is infecting - there is reports that firefox my be targeted but as yet I'm putting that down to rumours till I see solid fact. Opera if you have it will suit just as well. You'll at least be able to get this tool, hijack this (http://www.lurkhere.com/~nicefiles/HijackThis1991.exe) This will show you everything that is plugging into your browser.
You would be better of with just spybot and ad-aware imo. Spybot because it now prevents most of the cws variants getting in in the first place via resident shield you can get that here spybot

if you run a hijack this log and post a copy I'll look over it to let you know what to remove. you may also find this place helpful

http://cwshredder.net/cwshredder/cwschronicles.html as far as I know that place has every known coolwebsearch variant listed and how to remove it if you get hit.

as said you'll need to switch of system restore and in some cases edit registry values/delete values - don't worry just follow the instructions carefully and you'll be fine.....


edit: afterthought - i'm not saying to use firefox because it's a better browser yadda yadda - i'm saying because i.e. is infected and is no use to you. At least with firefox you'll be able to get the tools you need to be able to fix the problem. just saying as it i know it's a touchy subject around here...:)

greglo23

i also use this. http://www.emsisoft.com/en/software/free/ . it's an excellent tool and it's regularly updated.

Mac daddy

Run Hijack this and post the log files.

srdb20

3 things

1. Turn off system restore before running all the spyware removal tools

2. Make sure your not connected to the net

3. Check msconfig to see your start up programs

once you've run all the tools and removed the correct registry keys etc....

RE-BOOT and that should have cleared it up, if it doesnt let me know and ill give ya another solution.

PEACE!!!!!!!!!!

pokermonkey

ƒ

slade_x

All you need is Ewido Suite:

http://www.ewido.net/en/

neon_glows

http://www.ewido.net/en/

Yeah download the above and run it in safe mode :-)

neon_glows

Also try switching off system restore.

Illkillya

pokermonkey wrote:

C:\WINDOWS\mfcsa.exe
C:\WINDOWS\system32\mfcfj.exe

At a glance I would guess that these are the troublemakers. If the problem is not solved on this thread then you can google those terms and you will find other threads on other forums by people with the same problem.

smeggle

I'll get that hijack expert to look over it for you but I'm suspecting that :\WINDOWS\mfcsa.exe as well - give it a few hrs and I should have the answer for you

pokermonkey

thanks guys. looking forward to the results. i'll give that file a shot in the mean time.

Hank_Scorpio

When Adware.CoolWebSearch is executed, it performs the following actions:

1. Copies itself as %System%\Services\<executed filename>.

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the following entry in the file %Windir%\System.ini:

[windows]
load=%sysdir%\services\<executed filename>

3. Adds the value:

"xpsystem"="%System%\services\<executed filename>"

to the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs when Windows is started.

4. Adds the value:

"run"="%Sysdir%\services\<executed filename>"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

so that the adware runs when Windows NT/2000/XP is started.

5. Registers itself as a Browser Helper Object, by adding the subkey:

{5321E378-FFAD-4999-8C62-03CA8155F0B3}

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and setting multiple values in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}

6. Adds the values:

ProxyEnabled = 0
MigrateProxy = 1
ProxyEnabled = 0

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings

7. Adds the value:

ProxyBypass = 1
IntranetNames = 1
UNCAIntranet = 1

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

8. May redirect search queries made in Microsoft Internet Explorer to an advertising Web site.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

1. Update the definitions.
2. Close all open Internet Explorer windows.
3. Run a full system scan.
4. Delete the values that were added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To close all open Internet Explorer windows
Because Adware.CoolWebSearch functions as a Microsoft Internet Explorer plugin, it is necessary to close all the open Internet Explorer windows to remove it. If you are reading this writeup in Internet Explorer, print this writeup using our printer-friendly option at the top of the page, or write down the following instructions, and then close all the Internet Explorer windows.

3. To run the scan

a. Start your Symantec antivirus program, and then run a full system scan.
b. If any files are detected as Adware.CoolWebSearch and depending on which software version you are using, you may see one or more of the following options:


Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
* Exclude (Not recommended): If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

* Ignore or Skip: This option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.

* Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the threat for this scan only, and thus, the threat will be detected again the next time that you run a scan.

To actually delete the security risk:
* Click its file name (under the Filename column).
* In the Item Information box that displays, write down the full path and file name.
* Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.


* Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
* If you see a message, "Delete Failed" (or similar message), manually delete the file.
* Click the file name of the threat that is under the Filename column.
* In the Item Information box that displays, write down the full path and file name.
* Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.




4. To delete the values from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.


a. Click Start > Run.
b. Type*regedit

Then click OK.

c. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

d. In the right pane, delete the value:

"xpsystem"=<path to the adware>

e. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

f. In the left pane, delete the subkey:

{5321E378-FFAD-4999-8C62-03CA8155F0B3}

g. Do one of the following:
* If you are using Windows 95/98/Me, exit the registry editor and proceed to the next section.
* If you are using Windows NT/2000/XP, navigate to the key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


h. In the right pane, delete the value:

"run"="%Sysdir%\services\<executed filename>"

i. Exit the Registry Editor.

pokermonkey

right.
so i downloaded that ewido thing and ran it, along with all the other antispyware in safe mode and nearly all is gone. ewido is the only one recognising anything, and what it recognises repeatedly, even after deleting is: C:\WINDOWS\SYSTEM32:ylaa.dll
the infection is: Trojandownloader.Small.azk

as for hank-scorpio, thanks a mill for the answer, but unfortunatly i dont use symantec and the registry keys you mentioned arent in there.

ive deleted:
C:\WINDOWS\mfcsa.exe
C:\WINDOWS\system32\mfcfj.exe
along with other ones that i'm 90% sure was the same thing respawned.

so the only things i recon are the problem are:
1)the C:\WINDOWS\SYSTEM32:ylaa.dll that returns all the time in the ewido scan
2) the "Home Search Assistant" and "Search Extender" which i cant romove for the programmes list in Control panel->remove programs

hope this will help determining how to get rid of this. cheers
niall

smeggle

pokermonkey wrote:

right.
so i downloaded that ewido thing and ran it, along with all the other antispyware in safe mode and nearly all is gone. ewido is the only one recognising anything, and what it recognises repeatedly, even after deleting is: C:\WINDOWS\SYSTEM32:ylaa.dll
the infection is: Trojandownloader.Small.azk

as for hank-scorpio, thanks a mill for the answer, but unfortunatly i dont use symantec and the registry keys you mentioned arent in there.

ive deleted:
C:\WINDOWS\mfcsa.exe
C:\WINDOWS\system32\mfcfj.exe
along with other ones that i'm 90% sure was the same thing respawned.

so the only things i recon are the problem are:
1)the C:\WINDOWS\SYSTEM32:ylaa.dll that returns all the time in the ewido scan
2) the "Home Search Assistant" and "Search Extender" which i cant romove for the programmes list in Control panel->remove programs

hope this will help determining how to get rid of this. cheers
niall

hmm right a persistant little git then, generally means something else that is not being seen is reloading it. Can you slave the drive temporarily? i.e. if you have a spare clean drive with o.s. on and upto date av etc - slave the infected drive and then do a full scan. Handy little trick to catch this kind of thing.

They initiate when you boot the system on the infected drive and just reload what you previously deleted. If the drive is slaved they can't initiate and are seen for what they are straight away. I have this happen at least twice a month where I need to slave the drive to make sure I get every thing on clients comps.

If you don't have a spare comp then ask a mate if they wouldn't mind you slaving in your drive to scan it. Might save you a lot of time....

Still waiting on word back from the egg on your log but most of the techy support guy's are indicating the afore mentioned file/.exe. that you have deleted.

Sully

OK, wat most people are saying here iv covered in one tutorial which I think is a help to most people with Spyware/Virus Problems. I suggest reading and doing what it says, it may help.

The URL is: http://www.thenet2k.com/forums/index.php?act=tutorials&CODE=03&id=41

Smileylynz

PM Nukem. He is a Computer Genius.

pokermonkey

thx scully.
i had a look at your link, and its very helpful but google hasnt done much ( i am still looking though); add/remove programs wont uninstall the two programmes i want uninstalled unless i download something off the smartfinder website which im sure wont help; there was nothing odd in the system config other than a startup item with no name ( this could be a problem but i dont want to delete something important); the bho's are fine; and the only thiing in my task manager processes which looks odd is 3 svchost.exe processes but i think i saw that before.

i've PMed nukem, so we'll see how that goes,

and SMEGGLE, i've never heard of slaving. but if all else fails i might give it a bash. the problem is on my laptop, and there's a pc in the house, could i use that? how do i go about doing this. actually dont worry, if it comes to that i'll google it, save you some time.
im very interested to hear what your mate "the egg" has to say,

and thx again to all for your help.

cheers,
niall

pokermonkey

ok, after spending most of the morning and night going through every last thing on the computer, i think ive finally got rid of the "Home Search Assistant" and the "Search Extender" which are no longer appearing in my edit/remove programmes.

The ONLY thing left that i can find, (after running all of the anti spyware/antivirus programmes, 13 in total ) is the following picked up by ewido.
File: C:\WINDOWS\SYSTEM32:ylaa.dll
Infection: TrojanDownloader.small.azk
Threat: High

no matter how many times i remove/clean it, it is still there when i rescan.
i've tried deleting it manually, but cannot find it.

Any ideas anyone?

thx
niall

Sully

Another suggestion not in the tutorial:

Try and download the Trial Version of NOD32 - I find its the best virus scanner iv tested in a long time. Slightly non-user friendly but once you get it up and running, its virus removal kit works wonders. It *may* be helpfull for ridding of virus/trojans which you seem to have.

P.S. Do all this in safe mode - anything you do should be done in safe mode! And some system files are automaticly hidden by Windows so thats probs why u cant find the file (not that u will be able to rid of it, probs locked if the Scan cant get rid of it)