Welcome to Merijn.nu

Site search

Powered by Google


Links

  • SpywareInfoForum
  • Spybot Search & Destroy
  • Valid XHTML 1.0 Strict
  • Site created with Notepad
  • UniteTheCows - Digital Media Community
  • SilentRunners
  • BookGap
  • FlyingHamster
  • RunScanner

Frequently Asked Questions

Here are some questions I get asked a lot, and their answers. Please read this before you email me, I get a lot of email and the answer to your question may already be on this page.

Index

Questions about this website:Questions about CoolWebSearch:Questions about CWShredder:Questions about HijackThis:

Questions about this website

Do you read all the email sent to you?

Yes. All email is read.

Do you answer all the email sent to you?

If the sender needs a reply, is asking me a relevant question or when I generally feel a response is needed, I reply to email. If the email just thanks me for helping him or her, I pat myself on the shoulder. :)

Can you check my HijackThis log for me?

No, sorry. Though this may seem a snotty attitude, I really don't have time for this anymore. Up until recently I'd have said yes, but fact is I get a lot of email each day, and together with college and work I really can't keep up if everyone asked me for personalized advice. If you post your log on one of the forums along with a description of your problem you will most likely receive help within a day.

I have a question or remark about this FAQ.

You can contact me here.

What is the license agreement for your software?

All my software is freeware and may be used by anyone free of charge, unless specified otherwise on my website. You are allowed to use this software as long as it is not altered, reverse-engineered or sold.

Questions about CoolWebSearch

What is your connection to cool-search.net?

None. I did not create cool-search.net or the trojan that is hijacking you to it. Since I help people remove this trojan from systems, the people behind cool-search.net (who make money with this kind of trojans) obviously don't like me and try to discredit me by attempting to make it seem as I am to blame for this trojan.
If you believe this, think for a second about the fact that I didn't charge you a dime for using CWShredder.

What is your connection to searchvph.com?

None. I did not create searchvph.com or the trojan that is hijacking you to it. Since I help people remove this trojan from systems, the people behind cool-search.net (who make money with trojans like this) obviously don't like me and try to discredit me by attempting to make it seem as I am to blame for this trojan.

What is your connection to CoolWebSearch?

None. I only maintain a tool dedicated to removing the flood of trojans that seems to flow from one origin: CoolWebSearch.com.

Who is/are CoolWebSearch?

Coolwebsearch is a company located in Russia. From their site: Cool Web Search is a Pay-Per-Click search engine. [..] If you get a lot of visitors on your website, we will pay you 50% for each search, that your visitors make on our search engine. We also will pay you 5% of the revenues earned by every webmaster you referred to us. Since their emergence last year they have accumulated over 1000 affiliates, all with their own site and ways of 'attacting visitors'.
We know the following people are running/working for CoolWebSearch:
Louise Vitte (founder)
Alex S. Hatkinson (programming)
Serge Stepantsov (programming)
Victor (site admin)

How can I contact CoolWebSearch?

Here: http://www.coolwebsearch.com/contact.html

How do I get rid of this CWS trojan?

You can use CWShredder: http://www.intermute.com/products/cwshredder

How can I do something to combat this strain of browser hijacking trojans?

Lookup the domain you were hijacked to (or any domain affiliated with CWS) and complain to their registrar or upstream provider. Several domains already have been shutdown by doing this. You can also complain to CoolWebSearch itself and ask for the offending 'affiliate' to be shut down for spreading viruses.

I don't want to use your tool. How do I get rid of this CWS trojan?

Removing the CWS trojan manually is very hard. You can try using my CWS Chronicles to guide you, but you have to know a fair bit about Windows to be able to do it.

Questions about CWShredder

How do I prevent CWS from infecting me again?

Keep your system up to date from WindowsUpdate! This is the first step in armoring your system. The variants of the CWS trojan all install through old exploits in IE. Secondly, disabling Java might be a good idea since there have been reports of infections even on fully patched systems. For more help on protecting yourself, check out this thread at the SpywareInfo forums.

Why is CWShredder closing suddenly when I run it?

There are a few CWS trojans, as well as newer viruses, that attempt to close CWShredder, HijackThis, Spybot S&D, Ad-aware and a handful of antispyware programs and online help forums when you try to open them. To counter this, CWShredder has been updated. Start it again when it suddenly closes and it should work. If it still doesn't work, download PepiMK's CoolWWWSearch.Smartsearch killer and run that first, then use CWShredder to clean up.
If the Smartsearch killer does not help, ask for help on a forum with removing a resident trojan.

I think I have a new variant, it's not in your CWS Chronicles and CWShredder isn't removing it.

First, check if you have the latest version of CWShredder. If you do, contact InterMute and ask them for help. This will help them analyze new variants and add them to CWShredder.

Using CWShredder causes the CPU usage of SERVICES.EXE to go to 100%!

If you use an ad-blocking hosts file like the one included with Spybot S&D, the DNS client in Windows 2000/XP gets really peeved and causes trouble when using CWShredder. It also crashes SERVICES.EXE when you attempt to view or purge the DNS cache. Removing the hosts file fixes this. There is no known workaround, short of disabling the DNS Client (which will stop Windows from resolving domain names and thus leaving you unable to use your Internet connection).

How do I uninstall CWShredder?

There is no uninstaller. Just delete CWShredder.exe and you're done.

Can I run CWShredder without user intervention, silently?

Yes, since v1.58 there is a commandline option /silent to do this. All actions that need user input are skipped. To use the Recycle Bin when using the silent option, add the switch /userecyclebin as well.
Since InterMute now owns CWShredder, I don't know if they kept this option.

Why can't I download CWShredder, the link is not working!

The link is kept updated at all times. You may be blocked by the CWS trojan on your system. Go to this mirror of my site: http://216.180.233.162/~merijn/index.html and try to download there.

Why am I getting an 'Unexpected error' about a missing DLL when running CWShredder?

You need the Visual Basic Runtime Libraries to be able to run CWShredder. Most recent Windows have these installed by default, but if you don't have these files, they're available from Microsoft.com.

Your CWShredder program doesn't fix my problem!

You may have an old version of CWShredder. Use the 'Check for updates' function to see if a newer version is available and see if that can remove your problem.
If it still doesn't fix it, download HijackThis and post a scan log on the SpywareInfo forums, asking for help.

Questions about HijackThis

Why am I getting an 'Unexpected error' about a missing DLL when running HijackThis?

You need the Visual Basic Runtime Libraries to be able to run HijackThis. Most recent Windows have these installed by default, but if you don't have them, they're available from Microsoft.com right here.

How do I know what to remove and what not in the scan results?

Ask someone who knows. You're not expected to understand all the results at first glance, it's pretty technical. You can post your log on one of the online help forums and ask for help.

I removed the browser hijack but it keeps coming back!

You probably left something behind that is reloading the hijack or there is something else present on your system reloading it that isn't visible in HijackThis. In both cases, post your log on one of the online help forums and ask for help.

Why is HijackThis closing suddenly when I run it?

There are a few CWS trojans, as well as newer viruses, that attempt to close CWShredder, HijackThis, Spybot S&D, Ad-aware and a handful of antispyware programs and online help forums when you try to open them. Download PepiMK's CoolWWWSearch.Smartsearch killer and run that first, then use CWShredder to clean up. If the Smartsearch killer does not help, ask for help on a forum with removing a resident trojan.

Why is [x] not shown in the scan results from HijackThis? I know a trojan/virus that uses this method to start.

HijackThis targets only browser hijacking methods, not trojans or viruses. Possibly the startup method you mean is showed by StartupList. If multiple browser hijackers are known to use a startup method, it is included in HijackThis. If you believe it is a newly discovered startup, please let me know about it.

Why am I getting an error #5 (Invalid procedure call) in modRegistry_GetFirstSubfolder()?

If you are getting this error:An unexpected error has occurred at procedure:

modRegistry_GetFirstSubFolder(sFolder=C:\Documents and Settings\<username>\Application Data\Mozilla\Profiles\default) Error #5 - Invalid procedure call or argument Then you are running an older version of HijackThis, v1.97.5. Please download the latest version of HijackThis which fixes this bug.

How do I uninstall HijackThis?

You can usually uninstall it from the Add/Remove Programs list in the Control Panel
If this does not work for some reason, start HijackThis, then click 'Config', 'Misc Tools', 'Uninstall HijackThis'. After this, delete HijackThis.exe. You can also delete the backups it created if you like.
However, if Windows tells you something like 'you don't have access to X:\...\HijackThis.exe', it might have been installed from a floppy disk or CD. Unless you still have that disk/CD, the uninstall will fail. In that case, download and run this Registry script to remove the item from the Add/Remove Software list.

I didn't install HijackThis. How did it get on my computer?

HijackThis was most likely installed by someone else - it does not install itself from websites or similar.
If you recently took your system to the store for servicing or repair, it's likely a tech from the store installed it and forgot to remove it later on. HijackThis is frequently used for repairs in computer shops.
If you wish you can uninstall it, this will not damage your computer. See the previous question. :)

My antivirus is detecting a virus/trojan/worm in HijackThis!

If you are using McAfee VirusScan, it's possible it detects W32/Generic.Worm!p2p, which is a generic detection for worm viruses that spread over file sharing networks such as Kazaa. This is a false detection.
Unfortunately, the UPX compression I use in all my programs is frequently detected by McAfee as this particular virus type. This compression method in itself is harmless, but since a lot of viruses also use this compression, it is frequently associated with viruses just because of that.
In the past few years, McAfee has detected HijackThis as this generic worm a total of four times, as well as detecting StartupList once. I have emailed them four times asking for a permanent fix, instead of updating the antivirus DAT files to fix one false detection each time. Since they seem not to be doing this, almost every new version of HijackThis is detected as this generic worm as soon as it comes out. I am tired of telling them to fix this, but I urge anyone with this problem to complain to them about it using any of the options listed on the McAfee contact page.

It is also possible that ZoneAlarm detects a virus in the uninstall Registry key of HijackThis. This is also a false positive.

What command line parameters does HijackThis accept?

The following parameters are accepted:
/autolog - automatically perform a scan, save it (requiring user input) and open it
/silentautolog - automatically perform a scan and save it to disk as hijackthis.log (HJT 1.99.2 and up)
/ihatewhitelists - ignore all internal whitelists in all checks
/uninstall - remove all Registry settings from HijackThis

Why am I getting an 'Unexpected error' about a missing OCX file when running HijackThis?

Some of my programs also require MSCOMCTL.OCX. Most recent Windows versions have this file installed already, but if you don't have it, you can get it here.

How do I open your programs?

All my programs are compressed using WinZip. You can use WinZip to open the .zip files you just downloaded, and extract the files in it to a folder on your computer, like 'My Documents' or your Desktop. Windows XP handles zipped archives natively, but you still have to copy the files in a zipped archive to a separate folder to avoid losing them in the browser cache.

What Windows version are your programs compatible with?

All my programs are compatible with Windows 95 and newer, unless specified otherwise.
Some minor issues may arise with Windows Vista due to its security model.

Why am I getting error #75 (Path/File access) in modMain_CheckOther1Item()?

This procedure checks the Windows hosts file. On limited user accounts and on Windows Vista, this file may be protected by Windows and HijackThis is denied access. This does not impact HijackThis' functioning beyond it not being able to scan the file.