Tech Support Guy banner
Cancel
Create thread New Forums
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

webcoolsearch - removal help needed

Jump to Latest
1.8K views 4 replies 4 participants last post by  dvk01  
G
#1 ·
webcoolsearch has appeared in my start page. It also is effecting my favorites. They have all dissappeared and been replaced with other pages. I have run hijackthis. below please find my log file. Can you please tell me the steps to remove this from my comuter?

Logfile of HijackThis v1.96.1
Scan saved at 10:28:06 PM, on 10/5/2002
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\CKA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\MSCOHC.DLL
O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Norton SystemWorks\CKA.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.4648726852
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt

Thanks in advance !!!!

Grinder22
 
G
#3 ·
Thanks.

We ran it and we are back to normal. However, preventing it from happening again is the difficult part. I cannot run windows update so I can install patches. When I click on windows update I receive an error "0X800A138F" ERROR. I have Windows 98 and I am running IE6 SP1. Should I follow the steps to remove Java VM like CWshredder said or is that only for XP users and 2000 users?

Thanks in advance
 
#4 ·
I would post another log just to make sure its clean,there are some more entries that will need to be fixed.

;)
 
Save
Like Like
Status
Not open for further replies.
You have insufficient privileges to reply here.
Tech Support Guy
posts
9.9M
members
873K
Since
1998
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking