Understanding the Instructions
Thread Starter
Joined: Jun 2002
Posts: 662
Likes: 0
From: UAE
Understanding the Instructions
Hi People
I have run Bazooka on my system to find the spyware thats bothering me on my home PC, it has found it and instructed me how to remove as per below:
CoolWebSearch.xpsystem
Overview
CoolWebSearch.xpsystem is a browser hijacker redirecting your Internet Explorer browser to search.thestex.com, t.rack.cc or awebfind.biz.
Classification
Adware
Files
SERVICES.EXE, y.exe, 1.00.07.dll
Log references
Log 53
Vendor
CoolWebSearch.com whois
Privacy policy
No privacy policy available.
Detection
Bazooka Adware and Spyware Scanner detects CoolWebSearch.xpsystem. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »
Manual removal
Please follow the instructions below if you would like to remove CoolWebSearch.xpsystem manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If CoolWebSearch.xpsystem remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).
Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.
The bit i do not get is:
Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?).
By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).
Does this meen i need to delete the entire Windows/Systen folder? (Im on 98 Version) If not then what as ido not feel happy deleating such a large folder.
Thanks
YYZ
I have run Bazooka on my system to find the spyware thats bothering me on my home PC, it has found it and instructed me how to remove as per below:
CoolWebSearch.xpsystem
Overview
CoolWebSearch.xpsystem is a browser hijacker redirecting your Internet Explorer browser to search.thestex.com, t.rack.cc or awebfind.biz.
Classification
Adware
Files
SERVICES.EXE, y.exe, 1.00.07.dll
Log references
Log 53
Vendor
CoolWebSearch.com whois
Privacy policy
No privacy policy available.
Detection
Bazooka Adware and Spyware Scanner detects CoolWebSearch.xpsystem. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »
Manual removal
Please follow the instructions below if you would like to remove CoolWebSearch.xpsystem manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If CoolWebSearch.xpsystem remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'xpsystem', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5321E378-FFAD-4999-8C62-03CA8155F0B3}', if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).
Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.
The bit i do not get is:
Start Windows Explorer and delete:
%SySystemDir%\SERVICES\1.00.07.dll
Note: %SystemDir% is a variable (?).
By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows stemDir%\SERVICES\SERVICES.EXE
%SystemDir%\SERVICES\Y.EXE
%X P).
Does this meen i need to delete the entire Windows/Systen folder? (Im on 98 Version) If not then what as ido not feel happy deleating such a large folder.
Thanks
YYZ
Per Ardua ad Astraeus
Joined: Mar 2000
Posts: 18,575
Likes: 4
From: UK
YYZ - the 'C:\Windows\System (Windows 95/98/Me)' bit is to tell you where to look for the files '1.00.07.dll' and 'Y.EXE' - as it says
'Note: %SystemDir% is a variable.
By default, this is......'
ie operating system dependent.
'Note: %SystemDir% is a variable.
By default, this is......'
ie operating system dependent.
Last edited by BOAC; 28th October 2004 at 07:51.
Joined: Mar 2004
Posts: 133
Likes: 0
From: Glasgow
The easiest way to find a file is to use the search facility from the start menu. If you do not have this, press the windows key on your keyboard and F at the same time. This will bring up the search box. Type in the exact file name and do a search. You can also delete the file from the resutls. BE CAREFUL ONLY TO DELETE THE REQUIRED FILE ! ! ! ! !
Mike
Mike
Joined: Jul 2003
Posts: 182
Likes: 0
From: Frimley, Surrey.
Yes - the same search advice applies to the registry items, but firstly back-up the registry. Secondly, ensure that it's taken you to the right registry location. Some of these DSO Exploit jobbies use similar (or the same) filenames as genuine files.
