www.thespykiller.co.uk/files/lopremover.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gqflu.dll/sp.html#28129 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank O4 - HKLM\..\Run: [winmain] winmain.exe O13 - DefaultPrefix: O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: {72FF22A1-8BF1-11D5-9A3D-000021506A27} (ShClass Class) - http://216.226.129.108/short.cab O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www103.coolsavings.com/download/cscmv4X.cab O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} - O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softw.../0006_adult.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...937c6314a45eb37 Fix those entries then find and delete the following files: C:\WINDOWS\gqflu.dll winmain.exe _______________ copy and paste this whole thing into a new text document and save it to your desktop. right click the desktop and select new. then new text document save it to whatever you like. you will have to close this window when you fix with hijackthis. Or if you have a printer you can print these instructions. open your control panel, navigate to add/remove programs and uninstall these if found: SURFSIDEKICK 2 MYSEARCH IESEARCHTOOLBAR wildtangent open up the task manager and end process on these files. (Ctrl + Alt + Del) SAIE.EXE CSV10P070.EXE Scan with HijackThis again and place a check next to these items: R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\temp\sp.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpe.dll/blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\temp\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL O2 - BHO: (no name) - {066DD1AA-1339-442D-9D77-69585A39F108} - C:\WINDOWS\SYSTEM\FCJABO.DLL (file missing) O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL (file missing) O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\PROGRA~1\CSBB\CSBB.DLL O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe O4 - HKLM\..\Run: [edebmj] C:\WINDOWS\edebmj.exe O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe O4 - HKCU\..\RunServices: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU) O15 - Trusted IP range: (HKLM) 016 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab Make sure that all browser windows and internet links are closed, even this one! and click 'Fix Checked' with HijackThis. To make sure you can see all hidden files, please follow the directions here Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' from the menu. explained here if needed. Navigate to these files/folders C:\PROGRAM FILES\SURFSIDEKICK 2 ~> delete that folder C:\PROGRAM FILES\MYSEARCH ~> delete that folder C:\PROGRAM FILES\CSBB ~> delete that folder C:\PROGRAM FILES\IESEARCHTOOLBAR ~> delete that folder c:\windows\system\saie.exe ~> delete this file C:\WINDOWS\edebmj.exe ~> delete this file also while still in safe mode lets clean your temp files Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >Internet Options. Under the General tab click the Delete temporary internet files, delete all Offline content as well. Clear out Cookies. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.) Empty the Recycle Bin reboot and post a new hijackthis log __________ A complete list of coolwebsearch hijack domains can be found here: http://www.spywareinfo.com/~merijn/junk/cws_domains.txt Check this URL out for a comprehensive history and a removal tool - http://www.spywareinfo.com/~merijn/cwschronicles.html Coolwebsearch is nasty stuff. So nasty that Merjin's web site (above) was the victim of a sustained Denial of Service attack, which just goes to show how successful, and how effective, his cwshredder tool is. Three cheers for Merjin. Coolwebsearch malware (so named if malware directs a computer to a known coolwebsearch registered domain) is the most persistent malware I have come across yet. Historical data Datanotary (also known as coolwebsearch) worked by generating a (hidden) pop-up window that is triggered when a victim tries to type into a form on a web page. Go to IE tools, internet options, accessibility. If the option to 'format documents using my style sheet' is turned on, turn it off AFTER noting down the path to the CSS file being used. Search for and rename that css file. Causes errors involving psapi.dll - psapi.dll not found... psapi.dll file is linked to missing export ntdll.dll The file bootconf.exe may exist on your system, which is used by a hijacker related to coolwwwsearch, coolwebsearch, youfindall.net, ok-search.com and white-pages.ws. Check the troubleshooting advice above for guidance on finding and getting rid of such hijackers. Advice specific to iedll.exe and loader.exe bundle With MUCH thanks to Rick from "The MacKinzie Family" (who sent me a copy of iedll.exe for examination) and Galen (aka KGIII and GotRoot etc) who took pity on me, decompiled the file and told me what it does........ Its a BHO ("browser helper object"), affecting Internet Explorer, that tries to write to the registry "..looks like a fragmented version of SearchBar.." The problem: error message when starting Windows - " C:\windows\IEDLL.EXE\ file appears to be corrupt. Reinstall the file and try again." Search engine/option hijackings: global-finder.com (in the registry as out.true-counter.com/.../?344012) searchalot.com coolwebsearch (appearing in the registry as approvedlinks.com/hp.htm) The cleanup: Use Task Manager (ctrl, alt, del) to make sure iedll.exe is not running. If it is, shut it down. Rename iedll.exe to iedll.old. Export then delete the following registry keys: HKCU\Software\Microsoft\Internet Explorer\SearchURL HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar HKCU\Software\Microsoft\Internet Explorer\Main\Search Page HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar HKCU\Software\Microsoft\Internet Explorer\Main\HomeOldSP HKCU\Software\Microsoft\Internet Connection Wizard\Shellnext HKLM\Software\Microsoft\Internet Connection Wizard\Shellnext HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [iedll] C:\WINDOWS\iedll.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [loader] C:\WINDOWS\LOADER.EXE NOTE: Loader.exe can be a legitimate Windows file. Do NOT delete or rename the file - just delete the entry above from the registry!! __________ 2) If you have allready screwed around with the registry or run spyware programmes, deleting random bits of the sponsor programme without actually removing it, then you may well have changed it, and uninstalling messenger plus will not completely eradicate it. To remove it is still really easy, just takes longer and omg this is what i had to do and my computer takes SO long to reboot!! 1) Uninstall messenger plus as shown above 2) Reboot 3) Reinstall messenger plus WITH THE SPONSOR PROGRAMME (accept it when prompted) this is to ensure you have the complete and unchanged version of the programme on your computer - which is then easy to remove! 4) Uninstall messenger plus again! 5) Reboot again (getting fun now hey ;-) ) 6) If you want, reinstall messenger plus v3 WITHOUT the sponsor. I guarentee this does the trick!