Solved infected with malware help with removal

[cosmicanddavid]

man i did a 1 quickfix deep clean with glary utlities while i was watching the folders it was cleaning and scanning i noticed the words coolwebsearch is in my pc the scan was going so fast i didnt get the chance to find out where it was in my pc??i did a folder name search with glary folder search and it doesnt show coolwebsearch on my pc i know it not running because roguekiller preminum hasnt found it microsoft essentials havent picked it up what the best way to find it in my pc or remove it??autoruns and processexplorer not showing it up either any tips would be grateful

 

[marsmimar]

I'm not a security expert. Based on a Google search for "coolwebsearch" it appears to be classified as adware and/or browser hijacker and/or potentially unwanted program. Two free utilities often recommended at Seven Forums are AdwCleaner and Junkware Removal Tool.

Downloads - AdwCleaner - ToolsLib

Malwarebytes | Junkware Removal Tool

Hopefully others more experienced with malware removal will jump in with other suggestions.

 

[cosmicanddavid]

i did a scan this morning i dont know if it a folder or registry but i can see the start of the file or folder got letters and numbers assorted any help appriated thanks

 

[cosmicanddavid]

found out the last words of the file folder or reg key is /homesearch but it got coolwebsearch before it any help be gratefull thanks adwcleaner and junk remover didnt shift it!

 

[Callender]

Give this a go:

Weird browsing - Windows 7 Help Forums

 

[cosmicanddavid]

thank you will try that first thing in the morning with my daily cleanup and defrag and system health check

thanks Callender

 

[cosmicanddavid]

~ ZHPCleaner v2017.5.12.80 by Nicolas Coolman (2017/05/12)
~ Run by cosmicpc (Administrator) (13/05/2017 08:43:00)
~ Web: Nicolas Coolman | By Nicolas Coolman...
~ Blog: Anti-Malware Zone - Actualité Anti-Malware
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\cosmicpc\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\cosmicpc\AppData\Roaming\ZHP\ZHPCleaner_Reg.txt
~ UAC : Activate
~ Boot Mode : Sans échec avec prise en charge du réseau (Fail-safe with network boot)
Windows 7 Professional, 64-bit Service Pack 1 (Build 7601)


---\\ Services (0)
~ No malicious or unnecessary items found.


---\\ Browser internet (0)
~ No malicious or unnecessary items found.


---\\ Hosts file (1)
~ The hosts file is legitimate (1)


---\\ Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\ Explorer ( File, Folder) (6)
MOVED file: C:\Users\cosmicpc\AppData\Local\temp\~autoupdate.dat =>.Superfluous.Temporary.Empty
MOVED file: C:\Users\cosmicpc\AppData\Local\temp\~gu3-ver.dat =>.Superfluous.Temporary.Empty
MOVED folder: C:\ProgramData\InstallMate =>.Superfluous.Tarma
MOVED folder: C:\ProgramData\Application Data\IObit\ASCDownloader =>.Superfluous.AdvanceSystemCare
MOVED folder: C:\ProgramData\IObit\ASCDownloader =>.Superfluous.AdvanceSystemCare
MOVED folder: C:\Users\cosmicpc\AppData\Roaming\IObit\Advanced SystemCare =>.Superfluous.AdvanceSystemCare


---\\ Registry ( Key, Value, Data) (1)
DELETED data: [X64] HKLM\SOFTWARE\Classes\htmlfile\Shell\Open\Command\\Default [Bad :

 "%1" %*]  =>Broken.OpenCommand


---\\  Summary of the elements found (4)
https://nicolascoolman.eu/2017/01/20/logiciels-superflus/  =>.Superfluous.Temporary.Empty
https://www.nicolascoolman.com/fr/pup-tarma/  =>.Superfluous.Tarma
https://www.anti-malware.top/2016/10/07/superfluous-advancesystemcare/  =>.Superfluous.AdvanceSystemCare
https://nicolascoolman.eu/2017/01/27/repaquetage-et-infection/  =>Broken.OpenCommand


---\\  Other deletions. (1)
~ Registry Keys Tracing deleted (1)
~ Remove the old reports ZHPCleaner. (0)


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Google Chrome)
~ Browser not found (Opera Software)


---\\ Statistics
~ Items scanned : 697
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 7


~ End of clean in 00h00mn12s
~====================
ZHPCleaner-[R]-13052017-08_43_12.txt
ZHPCleaner-[S]-13052017-08_42_24.txt

no luck at all

tried hijack this but it cant remove files from systemroot??

 

[cosmicanddavid]

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:02:43 AM, on 5/13/2017
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18666)


Boot mode: Safe mode with network support

Running processes:
C:\Users\cosmicpc\Documents\saturday scan\Adaware_Installer.exe
C:\Users\cosmicpc\Documents\saturday scan\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: HmaOpenVpn Service (HmaOpenVpnService) - The OpenVPN Project - C:\Program Files (x86)\HMA! Pro VPN\bin\openvpnserv.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Malwarebytes Anti-Exploit Service (MbaeSvc) - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - Sandboxie Holdings, LLC - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 3394 bytes


hijack this cant delete certain files what now??

 

[Callender]

Try this dedicated removal tool then:

CoolWWWSearch SmartKiller MiniRemoval Download

 

[cosmicanddavid]

no luck at all even scanned with ad ware and using registry manager home free cant find anything related to the keywords wierd

 

[Callender]

Okay I guess it's nothing to worry about then.

Going back to your original post:

I did a 1 quickfix deep clean with glary utlities while i was watching the folders it was cleaning and scanning i noticed the words coolwebsearch is in my pc the scan was going so fast i didnt get the chance to find out where it was in my pc.

Personally I would never use any one click quick fix component of any utility. It's always best to scan and check results before adding exclusions where needed. Currently I don't have glary utlities installed but have used it in the past. Also from what you stated it looks like glary removed something related to coolwebsearch so if nothing else finds traces why worry about it?

 

[cosmicanddavid]

true think i close this thread if it isnt running then maybe if ad ware rogue killer microsoft essentials adcleaner malwarebytes didnt find it then it mustnt be running or enabled in start up no traces of it in internet explorer addons so i think maybe its a part of a history log or something i leave it and not worry about it no more thanks Callender for ya help!!