virus trouble

[narayan]

I was fortunate enough to get this suck virus that turns my PC into a porn server. xxxload.exe and save.exe are my culprits and I cannot find these anywhere to fix them. Symantec's site is no help. ZA has given me a path to these files, but they are not where ZA says. The only symptom I had of these is very slow surfing. Don't feel like formatting. Has anyone heard of this?

[HeadBand]

get adaware and spybot and run them also you might try the online virus scan at www.antivirus.com and also avg

[jannybean2002]

you could try www.trendmicro.com
run the house call virus scan..........its free

[Dax_Brandy]

Adaware 6 could be helpful. http://www.lavasoftusa.com/

[whitebeard21]

http://www.computing.net/security/ww...orum/9672.html

You have one of the most insidious worms to hit the net. Some versions self install when you delete a popunder.
I am Posting the info because of the extreme slowdown this causes to your pc, If you are here why wait 10 minutes for another page to load.

drop down to solution # 4

Name: The Helper
Date: February 14, 2004 at 10:44:15 Pacific
Homepage: HIJACKTHIS! DOWNLOAD
Subject: HEEELP!! Hijacked by MagicSearch.ws

Reply:
Ok, I picked up this hijacker today.
To remove it, you need to download a free software application HijackThis! from Download.com (Click my homepage link, it should take you to the download page for it on download.com and bypass the trojan).

When you have this software and you have run it click the scan button at the bottom of the window. The listbox should then fill up with crap. Tick everything and click the Fix Checked button. When it is done, wait 20 seconds and click scan again. The listbox will fill up again with stuff all with the .magicsearch.ws URL in it. This time, press CTRL and ALT and DELETE (or DEL) at the same time and go to the processes tab in Windows XP. Look for a file in that list called directx.exe or some executable file that isn't meant to be there running from you're user account. Click it and click end task. You have closed the secret file that is putting the entries back into the listbox. Go back to HijackThis! and check all of the lines and click Fix Checked again. Wait 20 seconds and click Scan. There, all gone!

Now to make sure that our little twat friend that puts the entries back dosn't come back. Click start, My Computer. Double Click you're main hard drive and go to Program Files and in there go into a folder named Common Files. In the Common Files directory, there should be a folder called Services. Delete that. If you recieve an access denied error, look at the filename in the error box and press CTRL + ALT + DEL again and close it's a**(edit).

When that Services folder is deleted and when you press scan in HijackThis! and nothing appears, CONGRATULATIONS! YOU HAVE KICKED THE PIECE OF CRAP MAGICSEARCH.WS IS OFF YOUR SYSTEM!

[narayan]

Thanks for the replys. AdAware didn't work, HijackThis didn't work. Spybot didn't work. Will try Trendmicro.com tonight. I;'m beginning to lose my patients with this. I am able to type about 10 words before they even appear in the box. Neat.

Thanks again, I'll let you know.

[whitebeard21]

Naryan this is what you have, the site with the removal tools is under a constant dos attack but this link will give you the latest links to a removal tool.

I'm not Mike, but I copied this brief description from Merijn's page and thought it might help you:
"The latest and greatest nuisance on the Internet, the browser hijacker that won't stop, the trojan from hell... name it what you want, but fact is that a company naming itself 'Coolwebsearch' (CWS) is producing a quickly growing strain of trojans that exploit a hole in the Microsoft Java VM, and change your homepage.

And by changing your homepage, I mean lodge itself onto your system in almost two dozen different ways, change your start page, search page, search assistant, redirecting you to porn sites from other porn sites or even search engines, popping up porn ads and sometimes even carrying a payload."

http://www.lurkhere.com/forum600.html then scroll >spies>CoolWebShredder - Latest Update Pages 1 | 2
Please Post the Most Recent CoolWebShredder Update Here

[narayan]

FINALLY!! I think it's gone. at least for now. Whitebeard, I didn't get a chance to try your link before a friend told me about PestPatrol. THink I'm gonna go there now just to see what I can find out. Thanks to all. I learned a little today.

[whitebeard21]

I got that thing when my granddaughter was dl some music. It drove me nuts for a week. It seems to be a Russian site bouncing between Samoa, Singapore, Macao and who knows where else.