Powered by Google
Yes. All email is read.
If the sender needs a reply, is asking me a relevant question or when I generally feel a response is needed, I reply to email. If the email just thanks me for helping him or her, I pat myself on the shoulder. :)
No, sorry. Though this may seem a snotty attitude, I really don't have time for this anymore. Up until recently I'd have said yes, but fact is I get a lot of email each day, and together with college and work I really can't keep up if everyone asked me for personalized advice. If you post your log on one of the forums along with a description of your problem you will most likely receive help within a day.
You can contact me here.
All my software is freeware and may be used by anyone free of charge, unless specified otherwise on my website. You are allowed to use this software as long as it is not altered, reverse-engineered or sold.
None. I did not create cool-search.net or the trojan that is hijacking you to it. Since I help people remove this trojan from systems, the people behind cool-search.net (who make money with this kind of trojans) obviously don't like me and try to discredit me by attempting to make it seem as I am to blame for this trojan.
If you believe this, think for a second about the fact that I didn't charge you a dime for using CWShredder.
None. I did not create searchvph.com or the trojan that is hijacking you to it. Since I help people remove this trojan from systems, the people behind cool-search.net (who make money with trojans like this) obviously don't like me and try to discredit me by attempting to make it seem as I am to blame for this trojan.
None. I only maintain a tool dedicated to removing the flood of trojans that seems to flow from one origin: CoolWebSearch.com.
Coolwebsearch is a company located in Russia. From their site:
Cool Web Search is a Pay-Per-Click search engine. [..] If you get a lot of visitors on your website, we will pay you 50% for each search, that your visitors make on our search engine. We also will pay you 5% of the revenues earned by every webmaster you referred to us.
Since their emergence last year they have accumulated over 1000 affiliates, all with their own site and ways of 'attacting visitors'.
We know the following people are running/working for CoolWebSearch:
Louise Vitte (founder)
Alex S. Hatkinson (programming)
Serge Stepantsov (programming)
Victor (site admin)
You can use CWShredder: http://www.intermute.com/products/cwshredder
Lookup the domain you were hijacked to (or any domain affiliated with CWS) and complain to their registrar or upstream provider. Several domains already have been shutdown by doing this. You can also complain to CoolWebSearch itself and ask for the offending 'affiliate' to be shut down for spreading viruses.
Removing the CWS trojan manually is very hard. You can try using my CWS Chronicles to guide you, but you have to know a fair bit about Windows to be able to do it.
Keep your system up to date from WindowsUpdate! This is the first step in armoring your system. The variants of the CWS trojan all install through old exploits in IE. Secondly, disabling Java might be a good idea since there have been reports of infections even on fully patched systems. For more help on protecting yourself, check out this thread at the SpywareInfo forums.
There are a few CWS trojans, as well as newer viruses, that attempt to close CWShredder, HijackThis, Spybot S&D, Ad-aware and a handful of antispyware programs and online help forums when you try to open them. To counter this, CWShredder has been updated. Start it again when it suddenly closes and it should work. If it still doesn't work, download PepiMK's CoolWWWSearch.Smartsearch killer and run that first, then use CWShredder to clean up.
If the Smartsearch killer does not help, ask for help on a forum with removing a resident trojan.
First, check if you have the latest version of CWShredder. If you do, contact InterMute and ask them for help. This will help them analyze new variants and add them to CWShredder.
If you use an ad-blocking hosts file like the one included with Spybot S&D, the DNS client in Windows 2000/XP gets really peeved and causes trouble when using CWShredder. It also crashes SERVICES.EXE when you attempt to view or purge the DNS cache. Removing the hosts file fixes this. There is no known workaround, short of disabling the DNS Client (which will stop Windows from resolving domain names and thus leaving you unable to use your Internet connection).
There is no uninstaller. Just delete CWShredder.exe and you're done.
Yes, since v1.58 there is a commandline option /silent to do this. All actions that need user input are skipped. To use the Recycle Bin when using the silent option, add the switch /userecyclebin as well.
Since InterMute now owns CWShredder, I don't know if they kept this option.
The link is kept updated at all times. You may be blocked by the CWS trojan on your system. Go to this mirror of my site: http://18.104.22.168/~merijn/index.html and try to download there.
You need the Visual Basic Runtime Libraries to be able to run CWShredder. Most recent Windows have these installed by default, but if you don't have these files, they're available from Microsoft.com.
You may have an old version of CWShredder. Use the 'Check for updates' function to see if a newer version is available and see if that can remove your problem.
If it still doesn't fix it, download HijackThis and post a scan log on the SpywareInfo forums, asking for help.
You need the Visual Basic Runtime Libraries to be able to run HijackThis. Most recent Windows have these installed by default, but if you don't have them, they're available from Microsoft.com right here.
Ask someone who knows. You're not expected to understand all the results at first glance, it's pretty technical. You can post your log on one of the online help forums and ask for help.
You probably left something behind that is reloading the hijack or there is something else present on your system reloading it that isn't visible in HijackThis. In both cases, post your log on one of the online help forums and ask for help.
There are a few CWS trojans, as well as newer viruses, that attempt to close CWShredder, HijackThis, Spybot S&D, Ad-aware and a handful of antispyware programs and online help forums when you try to open them. Download PepiMK's CoolWWWSearch.Smartsearch killer and run that first, then use CWShredder to clean up. If the Smartsearch killer does not help, ask for help on a forum with removing a resident trojan.
HijackThis targets only browser hijacking methods, not trojans or viruses. Possibly the startup method you mean is showed by StartupList. If multiple browser hijackers are known to use a startup method, it is included in HijackThis. If you believe it is a newly discovered startup, please let me know about it.
If you are getting this error:An unexpected error has occurred at procedure:
modRegistry_GetFirstSubFolder(sFolder=C:\Documents and Settings\<username>\Application Data\Mozilla\Profiles\default) Error #5 - Invalid procedure call or argument Then you are running an older version of HijackThis, v1.97.5. Please download the latest version of HijackThis which fixes this bug.
You can usually uninstall it from the Add/Remove Programs list in the Control Panel
If this does not work for some reason, start HijackThis, then click 'Config', 'Misc Tools', 'Uninstall HijackThis'. After this, delete HijackThis.exe. You can also delete the backups it created if you like.
However, if Windows tells you something like 'you don't have access to X:\...\HijackThis.exe', it might have been installed from a floppy disk or CD. Unless you still have that disk/CD, the uninstall will fail. In that case, download and run this Registry script to remove the item from the Add/Remove Software list.
HijackThis was most likely installed by someone else - it does not install itself from websites or similar.
If you recently took your system to the store for servicing or repair, it's likely a tech from the store installed it and forgot to remove it later on. HijackThis is frequently used for repairs in computer shops.
If you wish you can uninstall it, this will not damage your computer. See the previous question. :)
If you are using McAfee VirusScan, it's possible it detects W32/Generic.Worm!p2p, which is a generic detection for worm viruses that spread over file sharing networks such as Kazaa. This is a false detection.
Unfortunately, the UPX compression I use in all my programs is frequently detected by McAfee as this particular virus type. This compression method in itself is harmless, but since a lot of viruses also use this compression, it is frequently associated with viruses just because of that.
In the past few years, McAfee has detected HijackThis as this generic worm a total of four times, as well as detecting StartupList once. I have emailed them four times asking for a permanent fix, instead of updating the antivirus DAT files to fix one false detection each time. Since they seem not to be doing this, almost every new version of HijackThis is detected as this generic worm as soon as it comes out. I am tired of telling them to fix this, but I urge anyone with this problem to complain to them about it using any of the options listed on the McAfee contact page.
It is also possible that ZoneAlarm detects a virus in the uninstall Registry key of HijackThis. This is also a false positive.
The following parameters are accepted:
/autolog - automatically perform a scan, save it (requiring user input) and open it
/silentautolog - automatically perform a scan and save it to disk as hijackthis.log (HJT 1.99.2 and up)
/ihatewhitelists - ignore all internal whitelists in all checks
/uninstall - remove all Registry settings from HijackThis
Some of my programs also require MSCOMCTL.OCX. Most recent Windows versions have this file installed already, but if you don't have it, you can get it here.
All my programs are compressed using WinZip. You can use WinZip to open the .zip files you just downloaded, and extract the files in it to a folder on your computer, like 'My Documents' or your Desktop. Windows XP handles zipped archives natively, but you still have to copy the files in a zipped archive to a separate folder to avoid losing them in the browser cache.
All my programs are compatible with Windows 95 and newer, unless specified otherwise.
Some minor issues may arise with Windows Vista due to its security model.
This procedure checks the Windows hosts file. On limited user accounts and on Windows Vista, this file may be protected by Windows and HijackThis is denied access. This does not impact HijackThis' functioning beyond it not being able to scan the file.