CoolWebSearch / EffectiveBaneToolBar Removal Help

[StormSeeker]

EDIT: EffectiveBandToolBar !! Sorry for typo, and can not edit. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' />

These are the 2 things that show up in Spybot, and can't seem to get rid of them. I've read the process in another thread here, but didn't know if that would also apply to my system. Hijackthis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:09 PM, on 4/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BB47B01D-60E3-46FC-99D5-702979BEEA78} - C:\WINDOWS\System32\fkfm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O18 - Filter: text/html - {A124AEEE-A31D-4EAA-ACDC-B2F98D6DCFFE} - C:\WINDOWS\System32\fkfm.dll
O18 - Filter: text/plain - {A124AEEE-A31D-4EAA-ACDC-B2F98D6DCFFE} - C:\WINDOWS\System32\fkfm.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thank you for any and help to get this removed from my system.

Storm

[guestolo]

Hi StormSeeker, I'm won't be back on until tomorrow, but could you do the following for now

Download CW-Shredder from my signature below and save it to desktop

Download the correct version for your system of  'SpSeHjfix'. to the desktop
From this link
http://www.derbilk.de/404.html
Right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder


Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
Back in Windows
The tool creates a log of the fix which will appear in the folder.
Can you move the log out of that folder and save it elsewhere
then run SpSeHjfix again
If uninfected your system will not reboot

Afterwards
Run CWShredder.exe and click on the FIX button
Let it fix what it finds and restart your computer again

Back in Windows post a fresh hijackthis log
Can you also post the logs from SpSeHjfix
The first log you moved to a different location and the second log from the second scan, thanks

[StormSeeker]

First SPSeHjFix Log:



(4/26/05 9:41:24 PM) SPSeHjFix started v1.1.2
(4/26/05 9:41:24 PM) OS: WinXP  (5.1.2600)
(4/26/05 9:41:24 PM) Language: english
(4/26/05 9:41:24 PM) Win-Path: C:\WINDOWS
(4/26/05 9:41:24 PM) System-Path: C:\WINDOWS\System32
(4/26/05 9:41:24 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/26/05 9:41:25 PM) Disinfection started
(4/26/05 9:41:25 PM) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\se.dll
(4/26/05 9:41:25 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\fkfm.dll
(4/26/05 9:41:25 PM) Searchassistant Uninstaller - Keys Deleted
(4/26/05 9:41:25 PM) UBF: 9 - UBB: 2 - UBR: 2
(4/26/05 9:41:25 PM) FilterKey: HKCR\text/html (deleted)
(4/26/05 9:41:25 PM) FilterKey: HKCR\CLSID\{A124AEEE-A31D-4EAA-ACDC-B2F98D6DCFFE} (deleted)
(4/26/05 9:41:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/26/05 9:41:25 PM) FilterKey: HKCR\text/plain (deleted)
(4/26/05 9:41:25 PM) FilterKey: HKCR\CLSID\{A124AEEE-A31D-4EAA-ACDC-B2F98D6DCFFE} (error while deleting)
(4/26/05 9:41:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/26/05 9:41:25 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB47B01D-60E3-46FC-99D5-702979BEEA78} (deleted)
(4/26/05 9:41:25 PM) BHO-Key: HKCR\CLSID\{BB47B01D-60E3-46FC-99D5-702979BEEA78} (deleted)
(4/26/05 9:41:25 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/26/05 9:41:25 PM) UBF: 7 - UBB: 1 - UBR: 1
(4/26/05 9:41:25 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/26/05 9:41:25 PM) Stealth-String not found
(4/26/05 9:41:25 PM) File added to delete: c:\windows\system32\fkfm.dll
(4/26/05 9:41:25 PM) File added to delete: c:\docume~1\admini~1\locals~1\temp\se.dll
(4/26/05 9:41:25 PM) Reboot


(4/26/05 9:42:46 PM) SPSeHjFix started v1.1.2
(4/26/05 9:42:46 PM) OS: WinXP  (5.1.2600)
(4/26/05 9:42:46 PM) Language: english
(4/26/05 9:42:46 PM) Win-Path: C:\WINDOWS
(4/26/05 9:42:46 PM) System-Path: C:\WINDOWS\System32
(4/26/05 9:42:46 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\


Second :



(4/26/05 9:43:39 PM) SPSeHjFix started v1.1.2
(4/26/05 9:43:39 PM) OS: WinXP  (5.1.2600)
(4/26/05 9:43:39 PM) Language: english
(4/26/05 9:43:39 PM) Win-Path: C:\WINDOWS
(4/26/05 9:43:39 PM) System-Path: C:\WINDOWS\System32
(4/26/05 9:43:39 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/26/05 9:43:40 PM) Disinfection started
(4/26/05 9:43:40 PM) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\se.dll
(4/26/05 9:43:40 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\fkfm.dll
(4/26/05 9:43:40 PM) Searchassistant Uninstaller - Keys Deleted
(4/26/05 9:43:40 PM) UBF: 9 - UBB: 2 - UBR: 2
(4/26/05 9:43:40 PM) FilterKey: HKCR\text/html (deleted)
(4/26/05 9:43:40 PM) FilterKey: HKCR\CLSID\{4F106EA6-7A85-454E-AB88-DA570AA8F6A8} (deleted)
(4/26/05 9:43:40 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/26/05 9:43:40 PM) FilterKey: HKCR\text/plain (deleted)
(4/26/05 9:43:40 PM) FilterKey: HKCR\CLSID\{4F106EA6-7A85-454E-AB88-DA570AA8F6A8} (error while deleting)
(4/26/05 9:43:40 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/26/05 9:43:40 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEDC3469-F03B-4DDF-A631-7C1DE140F800} (deleted)
(4/26/05 9:43:40 PM) BHO-Key: HKCR\CLSID\{AEDC3469-F03B-4DDF-A631-7C1DE140F800} (deleted)
(4/26/05 9:43:40 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/26/05 9:43:40 PM) UBF: 7 - UBB: 1 - UBR: 1
(4/26/05 9:43:40 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/26/05 9:43:40 PM) Stealth-String not found
(4/26/05 9:43:40 PM) File added to delete: c:\windows\system32\fkfm.dll
(4/26/05 9:43:40 PM) File added to delete: c:\docume~1\admini~1\locals~1\temp\se.dll
(4/26/05 9:43:40 PM) Reboot


(4/26/05 9:45:04 PM) SPSeHjFix started v1.1.2
(4/26/05 9:45:04 PM) OS: WinXP  (5.1.2600)
(4/26/05 9:45:04 PM) Language: english
(4/26/05 9:45:04 PM) Win-Path: C:\WINDOWS
(4/26/05 9:45:04 PM) System-Path: C:\WINDOWS\System32
(4/26/05 9:45:04 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/26/05 9:45:34 PM) Disinfection started
(4/26/05 9:45:34 PM) Bad-Dll(IEP): (not found)
(4/26/05 9:45:34 PM) Bad-Dll(IEP) in BHO: (not found)
(4/26/05 9:45:34 PM) UBF: 7 - UBB: 1 - UBR: 1
(4/26/05 9:45:34 PM) UBF: 7 - UBB: 1 - UBR: 1
(4/26/05 9:45:34 PM) Bad IE-pages: (none)
(4/26/05 9:45:34 PM) Stealth-String not found
(4/26/05 9:45:34 PM) Not infected->END


HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:49:11 PM, on 4/26/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


I ran SPSeHjFix, and then restarted, it then, before anything else, came up again, but I didn't want to lsoe the log. So I clicked close, rather than disinfect again. Got the log file, re ran it and then when it came up again, I clicked disinfect and thats when it did nothing and I closed it and got the 2nd log file. CWS found nothing. Thank you Thank you Thank you.

Storm

[StormSeeker]

When I restart it doesn't hijack my IE homepage anymore. I think its fixed!! Woo! Thank you so much!

[guestolo]

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Back in Windows
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Is this a legit version of Windows your running?
If so, why so far behind on Windows Updates?
I don't mean recommended updates, I'm talking about Critical Updates and Service Packs
It's important to keep up to date to keep your system secure