Nasty Trojan - Need Help Please

[woodbutcher]

Windows XP w/ SP1A and IE6

I've been hijacked by 'CoolWebSearch' and i'm having major problems.

What happened: Installing weather watcher program (clean install), went back on the net without running msconfig and re-enabling 'Normal Startup' (and Zone Alarm / Norton).

What it did;
Changed browser homepage to 'about;blank'
Everytime I tried to opened windows explorer windows installer would activate and run in a continous loop. Same when trying to run Spybot nuker (only spyware removal tool I could DL)
Would not let me past TechIMO homepage to the forums for help.
Would not display any page from google's "hits" that had spyware removal tools (page not found)
Finally managed to get to Ad-aware to DL the newest version, said it was DLing but would not.
Went to Trendmicro's site to run there AV scanner, kept crashing IE right before the scan would begin.
Went to Windows Update, said I was not the administrator and when I would log in as such kept coming back with incorrect user. Tried to use the 'Run as' command, no go.
Every once in awhile windows pops a message up saying that my xp sp1 contains unrecognized file versions but will not let me repar them (msv...dll)

What I did;

DL'd and installed Mozill Firefox browser.This allowed me to DL the newest version of Ad-aware. Ad-Aware would remove the files but they would return.
DL'd CWSshredder and Hikackthis. CWS would remove malware but again they would return. The last (3rd ) time I ran the program it had to start with misc letters n the tittle bar because I had a variant2 of the trojan which would otherwise not let it start. WOW
Ran Hijackthis which found 7 entries and removed them. There are still entries that I don't recall seeing before.
Ran spyware nuker, found 1 entry but said I would have cough up $30.00 to remove it. I don't think so, I removed the program from the comp.

Where i'm at;
Back to being able to use TIMO forums, randomly. Still receiving the occastional 'page not found' message.
I still cannot access Windows update, same problem persists.
I removed Mozilla Firefox. It stopped working soon after I ran Ad-Aware, CWSshredder and HijackThis. I liked the browser but somethings wrong. Firefox does not contain spyware, right?
I went into services and disabled 'Windows Installer' but it keeps tring to pop-up (flashes open and then closes, looping for 6-7 times before finally closing). This also hapens when tryng to open other programs as well.

So, as you might guess, I've been trying to resolve this problem for about 24 hours as this happened about 2 pm yesterday afternoon. I did manage to DL'd the IT version of XP SP1 and tried to run it but it will not run because of the MSV or whatever dll.

I have not backed my comp in about 3 months (100th time head bangs wall) so I really need to finish fixing the issues and at this point do not know what the next step would be.

Any and all help would be appreciated
Thanks
WB

[sam]

i would try to see if it is in your precesses menu ,end task on it ,then disable system restore(thus clearing all restore points). then clear history/temp files/cookies then run your anti virus/adaware programs, clean them, and see if that helps

LINK to missing DLL files if you need it:http://www.dll-files.com/

[sam]

here is info on what is good and bad in your processes menu
http://www.liutilities.com/products/...rocesslibrary/

[doddsy]

CWS removal stuff here.

http://www.pestpatrol.com/pestinfo/c/cws.asp

hth

[woodbutcher]

Third time trying to type this, I keep randomly being bumped to TIMO's home page.

Sam, thanks for the quick response.

then disable system restore ---- do not use system restore, bad exp on a ME comp
clear history/temp files/cookies ---- 3times a day depending on comp use
then run your anti virus/adaware programs, clean them, and see if that helps--- 4th time, same deal

There is no indication to which of the dll or any files for that matter are courrupted or missing, Saved that link as there has been more then one time where I could have used it.

WB

[woodbutcher]

Thanks guys, i'm going to take alook now.

WB

[sam]

what is listed in your processes menu? (ctrl-alt-delete)the link i gave you above will help desifer good /bad .if the virus is listed ther it needs to be first disabled and task ended or it will return even after a cleaning. also what is in your start up menu start/ run/(type) "msconfig" (no quotes) -selective start up -startup

[John Prophet]

there is also this tool http://www.majorgeeks.com/download4113.html called "CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval "

its for one of the variants that tries to kill cwshredder...it might be worth trying

I do know that the dude who makes cwshredder said on his site that there are stronger variants out now and he doesnt have time to update cw shredder at this time because of other commitments.....so hopefully someone else steps up to the plate, lol

[twistedbrntucker]

http://www.spywareinfo.com/~merijn/downloads.html

[John Prophet]

of course another thing you could try is....get a spare hard drive....build windows on it....boot off of it (by having your current drive in there as secondary or slave etc) and then get the data off of the original drive using the spare drive....

then once you have your data off of it onto the spare drive..you can scan the spare drive to be sure the spyware/virus didnt also come across....then you can just format the infected drive

---

my overall question is.....how are the authors of coowebsearch not in jail?