Hi,
Could you please tell me how to remove cool web search and CWS-about blank? I've tried Ad-aware (keep stalling when try deleting), spybot, spyware nuker 2005 but it's still reappear whenever open IE6. And keep having pop up ads.
I'm using window 98 SE on Pentium 2 350MHZ
Please let me know if you need further info.
I have about buster and hijack this (previous problem with about blank)
Thanks for your time
Nashii
Nashii
0
Newbie Poster
Recommended Answers
Jump to PostDownload CWShredder 2 from here:
http://www.intermute.com/spysubtract/cwshredder_download.htmlRun it and press Fix (not scan) and allow it to clean the infection. Close all windows before hitting the Fix button.
Run About:Buster, and then:
…
Jump to PostDid you update about:Buster before running it? It should have removed this one -- C:\WINDOWS\SDKSA32.EXE
Scan with HJT and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: …
All 5 Replies
dlh6213
27
Posting Maven
Team Colleague
Download CWShredder 2 from here:
http://www.intermute.com/spysubtract/cwshredder_download.html
Run it and press Fix (not scan) and allow it to clean the infection. Close all windows before hitting the Fix button.
Run About:Buster, and then:
1. Click Update
2. Click Check For Update
(If no new version is available, skip to step #4)
3. Click Download Update and wait for it to be installed
4. Click Start
(Wait for the initial ADS scan to complete)
5. Click Yes to shutdown any IE session currently open
(Wait for the about:blank scan to complete)
6. Click OK to scan once more
7. Click Yes to shutdown any IE sessions currently open
8. Click Yes to begin the second pass
9. Click Save log
10. Click Exit
11. Click Exit
12. Reboot
Close all browser windows, scan with hijackthis, and post this log along with the about:Buster log
Nashii
0
Newbie Poster
Here's hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:51:56 PM, on 4/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\SPYWARE NUKER 2004\SWN2.EXE
C:\DOWNLOAD\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WINDC.EXE
C:\WINDOWS\SDKSA32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theadvertiser.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {07E4FD77-394B-B875-5A4B-DD790369CC6A} - C:\WINDOWS\SDKNZ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [AWMON] "C:\DOWNLOAD\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Wfrmsrv] C:\WINDOWS\Wfrmsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
And AB:
Scanned at: 9:46:24 PM on: 4/8/05
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Thanks,
dlh6213
27
Posting Maven
Team Colleague
Did you update about:Buster before running it? It should have removed this one -- C:\WINDOWS\SDKSA32.EXE
Scan with HJT and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vliny.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {07E4FD77-394B-B875-5A4B-DD790369CC6A} - C:\WINDOWS\SDKNZ.DLL
Be sure all windows, other then hijackthis, are closed before hitting the Fix button
Go to the following folders and delete the highlighted file (if any won't delete, try booting into Safe Mode first):
C:\WINDOWS\SDKSA32.EXE
C:\WINDOWS\SDKNZ.DLL
C:\WINDOWS\SYSTEM\WINDC.EXE
Reboot
Close all browser windows, scan with HJT, and post a new log please.
Do you have LSoft installed? (Wondering becuase of this -- Wfrmsrv.exe)
Nashii
0
Newbie Poster
Hi,
I did update buster before scanning dont know why it did not pick up.
I think it's OK now as I dont see ad-watch bubbling red anymore. Here 's the log:
Logfile of HijackThis v1.99.1
Scan saved at 1:45:25 AM, on 4/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\SPYWARE NUKER 2004\SWN2.EXE
C:\DOWNLOAD\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theadvertiser.com.au/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [AWMON] "C:\DOWNLOAD\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Wfrmsrv] C:\WINDOWS\Wfrmsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
By the way I dont have LSoft, not that I know of anyway. May be installed by the person that revamped my PC last month (it was dead as I attempted to install win2000 - learnt my lesson!)
Please let me know the result.
Many thanks
dlh6213
27
Posting Maven
Team Colleague
Your log looks okay to me, other then that one file, which is probably not bad, but just to be sure...
Go to C:\WINDOWS, find the Wfrmsrv.exe file, right-click on it, and do a virus scan.
After that, right-click on it again and choose Properties; let us know the results of the virus scan and whatever info you get from Properties (company name, version, etc.)
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.