Start Page Hijacked

Hi. My start page has been hijacked, and web sites are added to my favorites folder. When running spybot, the following problems are listed (I have fixed most of them before, but they come back):

coolwwwsearch.Feat2Installer
coolwwwsearch.aff.winshow
alexa related
DSO Exploit
Klez
start page-EH

I will also pasted my hijack this log below. If you can, please help me out. I will be sincerely thankful...Kyle

Logfile of HijackThis v1.97.7
Scan saved at 1:47:47 PM, on 11/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\IEPT32.EXE
C:\WINDOWS\SYSTEM\NETXG32.EXE
C:\WINDOWS\CRKZ.EXE
C:\WINDOWS\WINOL32.EXE
C:\WINDOWS\IEVI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATLDJ.EXE
C:\WINDOWS\ATLBA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\ENQMTPOX.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\CRKZ.EXE
C:\WINDOWS\CRKZ.EXE
C:\WINDOWS\SYSTEM\CRVZ32.EXE
C:\WINDOWS\SYSTEM\ATLDJ.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\stics.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.pitchforkmedia.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {449B3150-589C-B9E4-9349-AEF25B86D3EC} - C:\WINDOWS\SYSTEM\CRNJ.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [APIUN32.EXE] C:\WINDOWS\SYSTEM\APIUN32.EXE
O4 - HKLM\..\Run: [NETZY.EXE] C:\WINDOWS\SYSTEM\NETZY.EXE
O4 - HKLM\..\Run: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE
O4 - HKLM\..\Run: [WINEC32.EXE] C:\WINDOWS\SYSTEM\WINEC32.EXE
O4 - HKLM\..\Run: [ATLBA.EXE] C:\WINDOWS\ATLBA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MFCTL.EXE] C:\WINDOWS\MFCTL.EXE
O4 - HKLM\..\RunServices: [NETQZ32.EXE] C:\WINDOWS\NETQZ32.EXE
O4 - HKLM\..\RunServices: [IPRN32.EXE] C:\WINDOWS\IPRN32.EXE
O4 - HKLM\..\RunServices: [WINOQ32.EXE] C:\WINDOWS\WINOQ32.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [MSUD.EXE] C:\WINDOWS\MSUD.EXE
O4 - HKLM\..\RunServices: [SYSHA32.EXE] C:\WINDOWS\SYSTEM\SYSHA32.EXE
O4 - HKLM\..\RunServices: [SDKIL32.EXE] C:\WINDOWS\SDKIL32.EXE
O4 - HKLM\..\RunServices: [SDKJX32.EXE] C:\WINDOWS\SYSTEM\SDKJX32.EXE
O4 - HKLM\..\RunServices: [MSXF.EXE] C:\WINDOWS\MSXF.EXE
O4 - HKLM\..\RunServices: [ADDQL.EXE] C:\WINDOWS\SYSTEM\ADDQL.EXE
O4 - HKLM\..\RunServices: [JAVARZ.EXE] C:\WINDOWS\SYSTEM\JAVARZ.EXE
O4 - HKLM\..\RunServices: [CRUE32.EXE] C:\WINDOWS\CRUE32.EXE
O4 - HKLM\..\RunServices: [IPOR32.EXE] C:\WINDOWS\IPOR32.EXE
O4 - HKLM\..\RunServices: [NETUI32.EXE] C:\WINDOWS\SYSTEM\NETUI32.EXE
O4 - HKLM\..\RunServices: [WINWR.EXE] C:\WINDOWS\SYSTEM\WINWR.EXE
O4 - HKLM\..\RunServices: [SYSKJ.EXE] C:\WINDOWS\SYSKJ.EXE
O4 - HKLM\..\RunServices: [IEPT32.EXE] C:\WINDOWS\IEPT32.EXE
O4 - HKLM\..\RunServices: [NETXG32.EXE] C:\WINDOWS\SYSTEM\NETXG32.EXE
O4 - HKLM\..\RunServices: [IEVI.EXE] C:\WINDOWS\IEVI.EXE
O4 - HKLM\..\RunServices: [CRKZ.EXE] C:\WINDOWS\CRKZ.EXE
O4 - HKLM\..\RunServices: [WINOL32.EXE] C:\WINDOWS\WINOL32.EXE
O4 - HKLM\..\RunServices: [ATLDJ.EXE] C:\WINDOWS\SYSTEM\ATLDJ.EXE
O4 - HKLM\..\RunServices: [CRVZ32.EXE] C:\WINDOWS\SYSTEM\CRVZ32.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yvghy] C:\WINDOWS\SYSTEM\enqmtpox.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38181.1943981481
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27f037ef43f3dae47905/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'll tell you right now, that is a dirty log.

What do you recommend I do to clean it? Would a computer repair shop be able to help? Thanks.

I have the identical problem and I am in the dark much more than you are. I finally gave up and use Mozilla Firefox. I like IE more.

I live in San Jose, Costa Rica. I retired here because I can live on my Soc Sec check. Very inexpensive living. My grandson visited me and visited some risky sites and then my browser was hijacked by CoolWWWsearch WCAD. I yesterday downloaded GIANT Spyware and it positively identified CoolWWW. GIANT successfully blocks but the hijacked pages always come back. If you could steer my in the right direction I would appreciate it.

Russell

If you'd like help, please create a new thread in this forum and post your own HijackThis log.

I can fix the log for you, but once again, run adaware, spybot, (http://spybot.info), and search google for 'CWShredder' and also run that.

I have previously tried the three programs you mentioned. Spybot identifies about 20 or so CoolWWWsearch files. I fix them, but they eventually come back. After spybot, Ad-aware identifies alot more CoolWWWsearch files, but I have a hard time fixing them. The computer usually freezes up. For some of the files it says you need to restart to get rid of them (some of them are in restore folders I think), but then when I try to shut down, the computer sometimes freezes and I have to shut the computer down incorrectly. In any event, I can't seem to sufficiently fix all the CoolWWW files. CWS Shredder says my cpu is clean.

I found a Hijack this tutorial on the internet and gotten rid of some of the bad stuff with seemingly no problems. Many of the 04 (Autoloading programs) that I think are bad are not listed in the database I used and I don't dare delete them.

Based upon my research I believe I have the about:blank spyware problem, which I think it says is a version of CoolWWW. From what I've read its very difficult to get rid of. I read a review that says Aluria Spyware Eliminator is able to get rid of this problem, although I'd like to know for sure before I spend the $30. Anyone heard anything about that?

Taliseh, I would appreciate it very much if you could help me. I would gladly send you the $30 I would have spent on spyware software if you could get this damn thing off my computer. I will attach a new hijack this log since I made some changes. Russell, I feel your pain.

Thanks for your time and effort.

Kyle

Oh yeah, IE shuts down occasionally, even when I'm not on it, saying it caused problems with KERNEL32 and a couple of the other processes listed. Thanks again...Kyle



Logfile of HijackThis v1.97.7
Scan saved at 7:47:35 AM, on 12/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\CRKZ.EXE
C:\WINDOWS\IEPT32.EXE
C:\WINDOWS\SYSTEM\NETXG32.EXE
C:\WINDOWS\SYSTEM\CRVZ32.EXE
C:\WINDOWS\WINOL32.EXE
C:\WINDOWS\NTHQ.EXE
C:\WINDOWS\IEVI.EXE
C:\WINDOWS\SYSTEM\IPAD32.EXE
C:\WINDOWS\SYSTEM\ATLDJ.EXE
C:\WINDOWS\NTUX.EXE
C:\WINDOWS\SYSTEM\MFCRO32.EXE
C:\WINDOWS\MSQH.EXE
C:\WINDOWS\SYSTEM\MFCMF32.EXE
C:\WINDOWS\APPTT32.EXE
C:\WINDOWS\NETTR32.EXE
C:\WINDOWS\SYSTEM\JAVASE32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSBT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\D3BY.EXE
C:\WINDOWS\SYSTEM\SYSVN32.EXE
C:\WINDOWS\SYSTEM\WINGO32.EXE
C:\WINDOWS\MSEF32.EXE
C:\WINDOWS\SYSTEM\ATLUH32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\JAVAJM.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\ENQMTPOX.EXE
C:\WINDOWS\SYSTEM\MFCMF32.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\WINDOWS\SYSTEM\IPAD32.EXE
C:\WINDOWS\SYSTEM\ATLDJ.EXE
C:\WINDOWS\SYSTEM\ATLDJ.EXE
C:\WINDOWS\IEBQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\IEPT32.EXE
C:\WINDOWS\IEPT32.EXE
C:\WINDOWS\IEPT32.EXE
C:\WINDOWS\SYSTEM\NETRY.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bdxsl.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BD85FF67-C43F-4377-4D51-43E5E92B5A18} - C:\WINDOWS\SYSTEM\IEVD.DLL
O2 - BHO: (no name) - {05BCB7D0-2092-8BB5-50DB-5590500B3E7E} - C:\WINDOWS\SYSTEM\ATLMZ.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL (file missing)
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [JAVAJM.EXE] C:\WINDOWS\SYSTEM\JAVAJM.EXE
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [NETZY.EXE] C:\WINDOWS\SYSTEM\NETZY.EXE
O4 - HKLM\..\Run: [SDKEU.EXE] C:\WINDOWS\SYSTEM\SDKEU.EXE
O4 - HKLM\..\Run: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE
O4 - HKLM\..\Run: [WINCV.EXE] C:\WINDOWS\SYSTEM\WINCV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MFCTL.EXE] C:\WINDOWS\MFCTL.EXE
O4 - HKLM\..\RunServices: [NETQZ32.EXE] C:\WINDOWS\NETQZ32.EXE
O4 - HKLM\..\RunServices: [IPRN32.EXE] C:\WINDOWS\IPRN32.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [IEPT32.EXE] C:\WINDOWS\IEPT32.EXE
O4 - HKLM\..\RunServices: [NETXG32.EXE] C:\WINDOWS\SYSTEM\NETXG32.EXE
O4 - HKLM\..\RunServices: [IEVI.EXE] C:\WINDOWS\IEVI.EXE
O4 - HKLM\..\RunServices: [CRKZ.EXE] C:\WINDOWS\CRKZ.EXE
O4 - HKLM\..\RunServices: [WINOL32.EXE] C:\WINDOWS\WINOL32.EXE
O4 - HKLM\..\RunServices: [ATLDJ.EXE] C:\WINDOWS\SYSTEM\ATLDJ.EXE
O4 - HKLM\..\RunServices: [CRVZ32.EXE] C:\WINDOWS\SYSTEM\CRVZ32.EXE
O4 - HKLM\..\RunServices: [IPAD32.EXE] C:\WINDOWS\SYSTEM\IPAD32.EXE
O4 - HKLM\..\RunServices: [NTUX.EXE] C:\WINDOWS\NTUX.EXE
O4 - HKLM\..\RunServices: [MFCRO32.EXE] C:\WINDOWS\SYSTEM\MFCRO32.EXE
O4 - HKLM\..\RunServices: [MFCMF32.EXE] C:\WINDOWS\SYSTEM\MFCMF32.EXE
O4 - HKLM\..\RunServices: [NTHQ.EXE] C:\WINDOWS\NTHQ.EXE
O4 - HKLM\..\RunServices: [MSQH.EXE] C:\WINDOWS\MSQH.EXE
O4 - HKLM\..\RunServices: [APPTT32.EXE] C:\WINDOWS\APPTT32.EXE
O4 - HKLM\..\RunServices: [NETTR32.EXE] C:\WINDOWS\NETTR32.EXE
O4 - HKLM\..\RunServices: [JAVASE32.EXE] C:\WINDOWS\SYSTEM\JAVASE32.EXE
O4 - HKLM\..\RunServices: [SYSBT.EXE] C:\WINDOWS\SYSTEM\SYSBT.EXE
O4 - HKLM\..\RunServices: [D3BY.EXE] C:\WINDOWS\D3BY.EXE
O4 - HKLM\..\RunServices: [SYSVN32.EXE] C:\WINDOWS\SYSTEM\SYSVN32.EXE
O4 - HKLM\..\RunServices: [MSEF32.EXE] C:\WINDOWS\MSEF32.EXE
O4 - HKLM\..\RunServices: [ATLUH32.EXE] C:\WINDOWS\SYSTEM\ATLUH32.EXE
O4 - HKLM\..\RunServices: [WINGO32.EXE] C:\WINDOWS\SYSTEM\WINGO32.EXE
O4 - HKLM\..\RunServices: [IEBQ.EXE] C:\WINDOWS\IEBQ.EXE
O4 - HKLM\..\RunServices: [NETRY.EXE] C:\WINDOWS\SYSTEM\NETRY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yvghy] C:\WINDOWS\SYSTEM\enqmtpox.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38181.1943981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Had same problems with users at my workplace, they get I clean (repeated almost daily). Is their company (my users) so not like I can tell them what to do. So I explained I was going to lockdown I-Net further (further than I had already done) and that they would get a frequent message but better off than constantly hijacked. They agreed and so...

I put in place the IE Admin Approved Controls and created my own list of controls in policy template. I am fairly certain you can hack it in without being in a domain but the users I am discussing are in a domain.

After putting that in place and controlling what Active-X will come down to their PCs no more search/start page hijacking.

Search google for the Admin Approved Controls and I am fairly certain their is lots on it and even how to hack in without having policies and domain.

Their is a side effect, and last I read no way around except replace MS's EXE with a hacked which I do not do. The side effect is that "all pages" that have Active-X content IE will prompt a message it may not work properly.

The best thing about this setting is that you are not bogging down PC with anti-hijack software as it is integrated into IE.

The setting is enabled in the custom security list of IE properties. But the list of controls runs from the registry and you will have to have domain policy or hack in with REG/INF file.

Of course this is not a fix for currently affected PCs, but a way to prevent web based (Active-X) hijacking down the road.

In addition to that, I think there is an IE policy for blocking changes to start page, etc. from user-dialog and script (not Active-X). I have not had to go to that degree yet, the hijacking stopped and I lock the users (owners of company) down as little as possible so they not restricted on their own PCs. Would hate to be called the bastard admin from hell or something

Hello all. I am cautiously optimistic that I cleaned the coolwwwsearch about:blank spyware from my system. It seems like the programs Adware Away in conjunction with Spybot Search and Destroy got it. Adware Away recognized it as About Blank:Hijack Variant 5. Did a global scan and fix with that program. Fixed what it found, then did a search just for hijackers, and got rid of what that found. Then I did a Spybot search, it found Coolwwwsearch.feat installer and another Coolwwwsearch bot. Fixed those, and now my start page is not being hijacked any more. Hopefully it doesn't come back. Thanks for your help!

Kyle