WTF man....i picked this crap up somehow and it keeps resetting my homepage!!! i ran adaware and spybot...spybot doesn't even find it...adaware finds it... i delete all entries and reboot...click on internet and blam its back!!! i even weninto the registry and deleted all the coolweb **** i could find...and still it comes back!!! keeps turning my homepage to BLANK HOMEPAGE...ALL ABOUT BLANK OR SOME CRAP.....help!!!!! :|

Ewwww. You're infected.

The Spybot home-page has as separate fix for it that you have to download and run. Atleast with ver.1.2. I am not sure if ver.1.3 has it or if you have to run this seaprate program. Go to the site and read all about this.

BTW with spybot did you immunise?

If you can't get rid of it then it sounds like you need to do a clean install. Sorry bud :(

Try this (http://cwshredder.net/bin/CWShredder.exe) too flex. CoolWeb Shredder - comes with SpySubtract, but this is the standalone just for the CoolWeb B.S.

Good luck man.

Oh ya, Snafu makes a good point about immunizing...I used Spybot S&D for months before I figured out to immunize!! Check for updates, download latest def's, then immunize, then "Search for Problems". Sheesh... :bonk:

ya i always immunize...i don't know how this could have happened!!!! i am allways very carefull about this sort of thing...as SNAFU knows i won't even use MSM just for this type of thing!!! i wonder what got me??? :scratch: .....this F'n blows!!!! :irk:

That sucks. . . See what heppens when you sleep around on the net, you get infected. :lol:

It was your ICQ :p ;) :D :rotflmao:

Maybe it is related to folks registering at those special sites using flexkill@gmail ;)

Sorry - I couldn't help myself for saying these terrible things :hide: .

I haven't had a problem with coolweb since running NAV, SP2, NFW, SB and AA. Man I think these protecting programs are taking up more room on the drives than XP :irk: . I wish they would bring out the death penalty for those who write these viruses and spywares. At least let the common folks take 'em out back and in Quake style...

BLAM, BLAM, BLAM...

No more worries about viruses :D
(not supporting violence or death penalty)

PS - joeMan thanks for the link. I needed to get this :wave:

WTF here it is on adaware...but even that damn shredder thing didn't find anything!!! nothing seems to find it but adaware!!! :|

Maybe it is a newer version that the spyware's don't pickup yet.

:scratch:

**** man somebody has to help me!!! i do not want to do a clean install....noooooooooo :| :irk: :(

shouldn't i be able to find all of this crap in the reg and manually delete it??? :scratch:

shouldn't i be able to find all of this crap in the reg and manually delete it??? :scratch:



Yes. . . But if there is anything in memory, ??????

how you mean....my ram or virtual mem...or both??? :scratch: :hide:

RAM.


Also, I run the Yahoo toolbar with popup blocker and Anti-Spy. You might want to install it and run the Anti-Spy.

i allways thought it best to stay away from all tool bars period!!!! i guess once again i'm wrong!!! :irk: i'll give it a go...also if it's in my ram WTF do i do about that??? :scratch: crap man...i run spyware blaster also!!!! i thought that was supposed to save me from this sort of thing??? :suspect:

i allways thought it best to stay away from all tool bars period!!!! i guess once again i'm wrong!!! :irk: i'll give it a go...also if it's in my ram WTF do i do about that??? :scratch:



I'm looking into the Coolweb stuff now. Give me a few to see what it really does.

cool(not so coolweb) thanks bud!!! :beer:

Try this:

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en


MS AntiSpyware stuff. This used to be Giant Software. Very good product. See if this can detect and destroy it.

flex - a stupid question but did you check all the boxes then hit quarantine? After you do this go view the quarantined objects, check the boxes and hit delete.

This is how I get rid of anything I found (coolWeb excepted as I have not had this one yet)

ok HAWK i will try that...and ya SNAFU i checked the boxes and deleted from quarentine :thumb:

Flex....another thing you can try is go into the windows\system32 folder....sort the stuff by date.... then look at everything that was created or modified with today's date (or whenever you became infected) if your familiar at all with whats in the directory...you should be able to identify a dll or exe file that shouldn't be there.

You might be infected with something else that loads coolweb as one of its downloads...so each time your remove coolweb...bam....it just comes back because of the other thing.

Do ctrl-alt-del and look at the running processes....see if there is anything that shouldn't be there....google for any of the names that you don't recognize :)

Okay flex. Just checking :wave:


PS - if you are on dial-up I suggest you pull the phone cable out of the wall when you are off-line. At least until you are up and running. Never know what the hell these things will dial-up when you are not around.

PSS - if you are paranoid about it getting any info off your system, try MRBlaster. This will remove all passwords, names, etc. that are hiding on your machine.

HAWK i am running that program now...and i have to say this looks like a great little program...it scans everything...memory to!!! will post back in a few...keep your fingers crossed!!! :D

''

well it did find a search bar trojan and it cleaned it!!! i'm running adaware now then will reboot....crap i hope this works!!! :chit:....LMAO you have an emoticon for every occasion hahaha!!! :beer:

crap!!! this mother won't go away!!! it came back...any other ideas??? i am going to try 83's idea now... :( :cry: :cry:

This is from the LavaSoft Forum ;



Please try this if you want to remove items found by Adaware

Scan your computer with these free online virusscans, clean and delete what you find. If you can't remove some of the trojans please post the logs here from the scans

http://www.bitdefender.com/scan/licence.php
http://support.f-secure.com/enu/home/ols.shtml

Download and install this tool, but do not run it yet!
http://download.lavasoft.de.edgesuite.net/...lvx2cleaner.exe

Start Ad-Aware SE and click 'Check for updates' to get the latest definitions file.

Please shutdown your PC

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection).
Re-start your PC

Close all open browsers or other programs you have running.

Can you clean (delete) the following directory contents (but not the directory folder) If you have anything you know you want to keep here, can you move it to a different folder for the time being:

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please use this command to run Ad-Aware SE again:

Click "Start" > select "Run" > enter the following in bold, (including the quotes):

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke

Please click on the gear to access the Configuration Menu. Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Check the option "Obtain command line of scanned processes" The "Obtain command line of scanned processes" is located in the Tweak > Scanning options.

Click OK.

Note: The path above (between the quotes) is the default location of Ad-Aware SE, if this has been changed by the you, please adjust it to the location that you have installed it to.

Run a full scan. When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

Next, run the VX2 cleaner Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close” and go to ***

If your computer is infected

Select “Clean System”
Reboot your computer
Scan your computer with Ad-Aware
Remove any objects detected

***Reboot your computer again
Run another scan to make sure the files have been removed from your computer, and post the log. MAke sure the entire log is posted. It can take 2 or more posts to get it all

Here bud. This is on PCWorld to get rid of that nasty CoolWeb.


Quoted from PCWorld:
Even if your PC has Ad-aware and Spybot Search & Destroy, you still can't stop some versions of an insidious and virus-like pest called CoolWebSearch. Fortunately, a Dutch student who goes simply by the name Merijn wrote a tiny free tool called CWShredder that specializes in removing dozens of CWS variants. InterMute bought the program and now maintains it as a standalone download and bundled with SpySubtract Pro. The following link downloads the standalone version of CWShredder.

http://www.pcworld.com/downloads/file_description/0,fid,23551,00.asp

CWShredder 2.1 :rock:

ya i have the new CW shredder it doesn't work either for me!!! i guess i will try lavasofts sollution...if that doesn't work...tomorrow do a clean install!!! :irk: ...but thanks for all the help guys :beer: ...i just wish i knew how i got it...so i don't have to go through this again!!! :o :beer:

Damn, that sucks.

Maybe just maybe pick up NAV05 and try to boot from it? I am thinking that maybe it needs to be removed before Windows starts up (i.e., clean it out in a DOS type environ).

Another thing to try a boot disk and go in to clean all the folders mentioned above (shoot me if you tried them already)???

What if you boot in safe mode and run CWS?

:scratch:

What if you boot in safe mode and run CWS?

:scratch:

:yup: :yup:

how you mean???

how you mean???

Restart the computer and Press F8 . Select SAFE MODE and then try and do a clean. It will be slower, but if this is one of those polymorfic bitch proggies, this might be a way to prevent it from loading and cleaning that bug.

damn!!! good idea...post back in a few!!! :chit:

the homepage hjacker keeps coming back even in safe mode!!! :scratch: Whats funny is it is the only one that keeps coming up...and now that it's the only one it doesn't have a name antmore just ie hijacker ??? :scratch: any ideas??? :(...ok it duz have a name...HotBar.com Inc. ...anyone heard of this???

damn what happened ...did i give it to BE!!!! :eek: :hide: ....anyway HAWK your a real genius!!! it worked in safe mode...thanx a bunch my friend...the rest of you guys too...thanx a bunch ;) :D ...i am sooooo happy now :wpleased: ...i tell ya though that thing was a bitch :yup: ...i had to run all three spy removal tool like four times each :eek: :eek: ...that mofo thought it was moving in for good!!!! :yup: :beer:

Great news bud :wave:

Let's hope it just hasn't gone underground on ya' (yeah I know shoot me for the thought)

geeez...don't say that :hide: :lol:

I said you could shoot me for saying that :hide:

You could leave it up to Acegoober ;)

ARRRRRRRRRRRGH ITS BACK!!!!!! SCREW IT I'M REFORMATING!!! :irk: you believe that crap!!! :rolleyes:

:( Bummer, man. See you when you get back...

Did you check and see what services are running/enabled.....?

on the website for cwshredder there is a variant or two that it can't remove,
CWS.Realyellowpage but you said you have about:blank ....I read the one you have and the yellowpage one are seen in tandem.

http://www.spywareinfo.com/~merijn/cwschronicles.html

ARRRRRRRRRRRGH ITS BACK!!!!!! SCREW IT I'M REFORMATING!!! :irk: you believe that crap!!! :rolleyes:



You should have run in safe mode a few more times just to verify before you thought it was gone.

That bitch of spyware is a polymorfic one, it changes it's name. It must have been loaded into memory on bootup. If you did not format yet, go into safe mode, regedit and check and see what is being loaded on startup.

This is the one i have ...i think...any thoughts?...i'm not to good at this sort of crap!!! :o
http://server3.uploadit.org/files/flexkill-untitled.JPG

all the stuff they have listed there...is that what i'm supposed to remove??? :scratch:

you betcha flex....edit that registry, lol

Edit: are you familiar with the hosts file? its in the windows\system32\drivers\etc\
folder

Edit: are you familiar with the hosts file? its in the windows\system32\drivers\etc\
folder
what you mean hosts files??? :o ...i'm lost!!!...please help :beer:

The image you posted up top.....where they are talking about hosts: 213.xxx.xxx.xxx You need to edit those out of the hosts file which is called "hosts" with no extension (like no .exe or .bat, etc) in the directory I posted.

The only line in the hosts file should be 127.0.0.1 localhost....other than all the examples and comments they give you.

Edit: this is where it is

so the ones they have listed i delete out of the host file??? :scratch:

so the ones they have listed i delete out of the host file??? :scratch:



:yup:

OK so if i go to my computer/windows/system32/ where do i look in system32...theres all kinds of stuff???....sorry guys...i know i'm a dumbass!!! :yup: :shhh: also, how does having hijackthis help me here???

Do a search next time. ;)


system32\drivers\etc


:rock:

thanks guys...i give it a go in a bit!!! :rock: :beer:

ok sorry for the delay...but i checked my host file and there is nothing in there but the one thats supposed to be....so i guess thats good??? :scratch: ...so what duz this mean.... that i only have to clean the registry??? :scratch: also i cant find HKCU in my registry...what gives???

ok sorry for the delay...but i checked my host file and there is nothing in there but the one thats supposed to be....so i guess thats good??? :scratch: ...so what duz this mean.... that i only have to clean the registry??? :scratch: also i cant find HKCU in my registry...what gives???



HKEY_CURRENT_USER = HKCU :yikes: :bonk: :bonk: :bonk: :bonk: ;)

ya i figured that out... :o ...need to get some sleep...my brain is fried...between work and this damn coolweb search crap!!! :| man i have tried every thing it keeps coming back!!! i'm going to have to reformat....but i reallly don't wanna!!! :cry: there is something i'm not deleting...is there another place to look for the host file stuff other than system32\drivers\etc???

ya i figured that out... :o ...need to get some sleep...my brain is fried...between work and this damn coolweb search crap!!! :| man i have tried every thing it keeps coming back!!! i'm going to have to reformat....but i reallly don't wanna!!! :cry: there is something i'm not deleting...is there another place to look for the host file stuff other than system32\drivers\etc???



nope

This is the one i have ...i think...any thoughts?...i'm not to good at this sort of crap!!! :o
http://server3.uploadit.org/files/flexkill-untitled.JPG

where are the second to last two lines located??? :scratch:

where are the second to last two lines located??? :scratch:


I'm going to start charging you. :mischeif:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

I'm going to start charging you. :mischeif:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
haha....i will never pay up!!! :mischeif: :lol: :beer:

under software\microcrap\winblows that's under hkcu, I think it's hklm is under ..\windows\currentversion

problem solved :wpleased: ....REFORMAT COMPLETE!!! :p :rolleyes: :beer:

Damn I wish I had seen this earlier. I have had this problem a few times. I run ad-aware, then Spybot, then regcleaner. Make sure you have deleted all cookies and temperary Internet files. The final piece of the puzzle is HiJackThis (http://majorgeeks.com/download3155.html)

Sorry I didn't get it in soon enough. It will clean it right up. Just make sure you know what your deleting before you delete it.

problem solved :wpleased: ....REFORMAT COMPLETE!!! :p :rolleyes: :beer:



:rock: :rock: :rock:


No more CoolWebSearch from the grave. . . . . . :hide:

if i ever find out how i got it...thats my biggest worry now :hide: ...i am very careful about where i go on the web...and what i use :scratch: ...damn i get weak and look at porn one time and look what happens!!!! :shhh: :lol: :lol: :mischeif:

One thing is for sure, the fight against anit-spyware proggies, pop-up blockers, etc....is just as harsh as the fight against spyware, pop-ups etc.....

Someone is always trying to figure out a way around them.

one big pain in the arse!!! :yup:

BTW, I make copies of all 4 proggies I named above, and pass them out at work.

When they pop in the CD, the title is "Porn Medic" :mischeif:

where do you guys go that you get this bad stuff?

ive had only like 2 viri in the last 10 years :scratch:

on the other hand, i cleaned out a machine the other day that had over 1300 objects identified :look: :yikes:

Its not as much as where you go...its these darn sneaky bastards who write the stuff. I myself have almost clicked yes on 2 separate occasions because what is in front of you on the screen looks nearly identical to a NAV "virus found" screen....you really have to look close. :irk: Once you get something installed, it constantly downloads other stuff to "serve" you, its like a cascade effect. Over the last 2 months I have worked on at least 6 machines that were so infected you couldn't even open windows without getting 30 pop-ups in like 5 seconds. I would say the average I have encountered is in the 1000 object range. Its insane

This is the first time i have ever "got sick"!!! I have never had a problem before...i wish i new where i did get it!!! :scratch: If i find out one of the kids where on MY pc...they in BiiiiiiiiiiiiiiG trouble!!! :yup: ...i have four PC's in this house and it's all to keep them off of mine :mischeif: !!! It used to be easy to catch them(a simple history check and busted) but as they get older they also get wiser...not much but a little :rolleyes:....ah well....time for a Beck's...that allways makes things better!!! :yup: :rock:

We need Acegoober - shoot the buggers that write this stuff!!! If we can send folks to jail for deleting a man's saved game then we should be able to shoot these folks!

With spam you can hit the <delete> key and ignore it. Spyware is another matter - you don;t know you have it and once you do you're pooched.

psst... flex, I was so jealous of your 3.0 that I snuck in there and slipped it in. Oh by the way if anyone asks about those 1-900 calls it wasn't me ;)

this may sound weird(and perhaps a little late), but a while back i had trouble with spyware also... so i ran adaware, spybot and CWShredder... adaware removed most, CWShredder ran until it came across one that shut the program down... so after scratching my head over why it kept popping back up and wouldn't delete... i started throwing in all kindsa weird keywords in google and came up with the idea of uninstalling windows media player, running adaware, and then reinstalling the player. IT WORKED!
i'm not sure if this would have been the same in your situation, but it's worth a try if it does come back up!