# [Resolved] Coolwebsearch - {unipages Google hijack}



## Katharsis (Jul 25, 2003)

Hi everyone!

My problem:
Every 2nd or third search result from my search page (google.de), a coolwebsearch page pops up and annoys the crap out of me...

My actions:
I read through this forum and performed all of the programs (cwshredder, spybot, ad-aware), finally I ran hijack this. I read through the tutorial and fixed the keys and so on myself, but I must have missed something; after rebooting, the problem showed up again.

My hijack log:
Logfile of HijackThis v1.95.1
Scan saved at 15:43:01, on 25.07.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Tiny Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
E:\Eigene Dateien\Programme\System\hijack\HijackThis.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [GAINWARD] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/de/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D866E70-60A4-46C3-B784-9BE481653DC3}: NameServer = 213.191.74.18 213.191.74.19

So if anyone more experienced could give me a hand here, I'd be more than happy. Thanks


----------



## Rollin' Rog (Dec 9, 2000)

Not sure why you are still getting it, but remove these with HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = java script:window.close()
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm

Also, would you do a file search for msspi.dll and right click on it and select Properties and see if there is any copyright or version information on it. It may be associated with your firewall or antivirus so I'm not going to recommend removal unless we know what it is.

If there are any other User Profiles on the XP system, logon under those names and post separate HijackThis scans for each one. Also if you have run any cleaning progrms like Spybot, you should do so under each profile.


----------



## Katharsis (Jul 25, 2003)

Thanks a lot for your quick reply!! 
I deleted those two keys you recommended, but unfortunately, nothing changed. 
The .dll file has the following properties, all other ones are unknown: copyright 2003, version 1.0.0.0, language russian !?... It has been created 3 days ago, that might match the day, the trouble started. You think I should try and delete it? 
Btw, theres only one profile on my machine...


----------



## $teve (Oct 9, 2001)

re-name the .dll for a few days.....see if its a needed one


----------



## Rollin' Rog (Dec 9, 2000)

No wait, don't rename it you might lose internet access.

Use this program to fix the lsp protocol:

http://www.cexx.org/lspfix.htm

Also is it the same coolweb search page that comes up? Can you provide the link? We can do a regedit search for it to see if its hiding there someplace


----------



## Katharsis (Jul 25, 2003)

The file is used by my firewall, so this cant be it, but thank you for all the help so far.

I ran another hijack scan, its all the same except for those two keys I deleted, but I'll post it anyways.

Logfile of HijackThis v1.95.1
Scan saved at 18:44:08, on 25.07.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Tiny Personal Firewall\PERSFW.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
E:\Eigene Dateien\Programme\System\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [GAINWARD] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/de/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D866E70-60A4-46C3-B784-9BE481653DC3}: NameServer = 213.191.74.18 213.191.74.19

If you have any ideas, please let me know.


----------



## Rollin' Rog (Dec 9, 2000)

Post a copy of the link you are getting directed to.

Also, have you completely deleted your Temporary Internet Files, including Offline content?

You might try creating another User Profile and see if the problem continues there.


----------



## Katharsis (Jul 25, 2003)

It happens, when I enter a search request at google. A site pops up and normally redirects me to coolwebsearch.com 
This is the site that pops up:
http://www.unipages.cc/search.cgi?text=dfhdh (or whatever I was looking for) 
Weird is now, that the window pops up, but it says "server cant be found".
I deleted all the Temp files, offline and cookies also.


----------



## Rollin' Rog (Dec 9, 2000)

Try this, go to start and run *regedit*

Click Edit > Find and enter *unipages* and hit Find Next

Right click on and delete any finds. Hit f3 to continue the search until complete. I think that will find it best, but you can also try entering the entire url. Always start new regedit searches with the file tree collapsed.

By the way if you do find it in the registry, would you note the registry key where it is found?


----------



## Katharsis (Jul 25, 2003)

Maybe I should add that it changed my homepage at first too. Now its only the site unipages.cc that pops up during searching, although right now a server cant be found..
I searched the registry for entries of unipages, but unfortunately, no results.


----------



## Rollin' Rog (Dec 9, 2000)

Have you tried deleting cookies as well as the TIf, if not that seems the most likely candidate now. You will have to reenter passwords on all sites that require them, such as this.

Also, try this, go to Internet Options > Programs tab and click "reset web settings". You will probably need to reestablish your Homepage after that.

You can also do something similar in the Search > Custom dialog; but it's a longshot for fixing it, since you seem to be navigating to Google first and encountering the problem.

The only other thing I can suggest is trying a new User Profile. Or you can try deleting the temporary internet folder in your current profile, but this is a little tricky.

To do the latter, probably easier than creating a new profile, actually. You must run *cmd* to open a DOS window.

then you must change directories to the one just preceeding the TIF. For example if I did it the first command to enter would be:

cd C:\DOCUME~1\ROLLIN~1\LOCALS~1>

.... where ROLLIN~1 is the DOS shortname for my User Name. You must use the tilde where any folder name is greater than 8 characters.

Once you are at the correct prompt enter:

rd /s tempor~1

Internet Explorer must be closed when you do this. In fact it might even be necessary in some cases to start in safe mode and run *cmd* from there.


----------



## Katharsis (Jul 25, 2003)

I reset the web settings, but no success yet.

I completely emptied that TIF folder before. If I additionally delete it now through the DOS-Prompt, will it be recreated automatically with the next reboot?


----------



## Rollin' Rog (Dec 9, 2000)

Yes, deleting it will delete the cookies folder and index.dat as well as the TIF cache, both related. That's why I suggested cookies first, but it's possible some can survive when doing the deletion through IE.


----------



## Rollin' Rog (Dec 9, 2000)

By the way, are you sure that dll and the protocols associated with it are related to your firewall? I've never seen that with TPF before.

You mentioned something about a Russian language file.

The unipages domain you are getting directed to is Russian (at least this is where a trace of www.unipages.cc takes me) -- and I am unable to connect by domain name or IP, so you must have something protocol wise enabling the connection.

Registrant:
RISS Telecom Siberia (SIBERIA2-DOM)
901, 12 Lenin Street
Novosibirsk, Siberia 630099
RU

Domain Name: SIBERIA.NET

Administrative Contact:
Gavrichenko, Sergey V (SG450) [email protected]
Magistral Telecom JV.
901, 12 Lenin Street
Russia Siberia 630099
RU
+7 383 222 5678 fax: +7 383 218 0442
Technical Contact:
Gorbatenko, Sergey J (SJG30) [email protected]
Magistral Telecom JV.
901, 12, Lenin st.
Novosibirsk, Siberia 630099
RU
+7 3832 22 5678 fax: +7 3832 27 0475

Record expires on 05-Oct-2005.
Record created on 06-Sep-2002.
Database last updated on 25-Jul-2003 14:32:34 EDT.

Domain servers in listed order:

SIBERIA.NET 212.17.0.42
NS.SIBERIA.NET 212.17.1.65
NS.ZSTTK.RU 80.89.128.5


----------



## Rollin' Rog (Dec 9, 2000)

Bingo!

http://forums.techguy.org/showthread.php?postid=1004300#post1004300

I'm going offline for a while now, but when you get back, I'd suggest you go ahead and download and run the lspfix application I referred to earlier. It is safer than a HijackThis deletion.

You can then find and delete the dll.

You may have to enter:

regsvr32 /u msspi.dll

first if you get access denied.

Don't try to unregister or delete the file before you have repaired the lsp stack using the application I mentioned.


----------



## Katharsis (Jul 25, 2003)

First of all, thank you very much for your endurance in searching for a fix for this. :up: 

When I run Ispfix, it shows 4 .dll files in the "keep" window (the msspi is among them). When I press finish, Ispfix doesnt really change anything, I guess... Should I add the msspi.dll to remove?

Why I think, the msspi has something to do with TPF, is because when I renamed the msspi, the firewall (PersFW.exe)had following error messages while starting:
PfVarLibInit: var_server_start error 1(10106: socket() failed)
FilterLogSysLogInit: Unable to open socket(error 10106)-logging to syslog will not work

After running ISPfix, I tried to unregister msspi, getting the following message (its translated, so it might read different on an english system):
msspi.dll was loaded but DllUnregisterserver-entrancepoint was not found, file cannot be registered.

I cannot delete the file either...


----------



## Rollin' Rog (Dec 9, 2000)

I am 99.9% certain that msspi.dll is not associated with the firewall. That other thread on our site is literally the ONLY hit for it in all cyberspace, so it is something very new. And the coincidence of that individual having exactly the same problem is too much.

Also I went back over a number of Tiny Personal Firewall listings in past HijackThis threads and there are no such protocol changes associated with it.

Have you actually removed the listed protocols with lspfix? And if so, do you still encounter the google hijack?

The reason why lspfix probably is not listing it in the "remove" section is because it can't identify it with the usual culprits we run that file for: new.net and a very few others.

It may be necessary to delete the file in Safe Mode, but this should only be done after the lsp protocols are properly set.

If you want, you can backup the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2

By selecting and clicking Registry > Export. It can be restored by double clicking the registry icon where you've saved it. 

Keep the dll in the recycle bin, or rename it from safe mode for a while.

Post another HijackThis Scanlog if you are unsure if it is still there.


----------



## Katharsis (Jul 25, 2003)

That was it!!!
Removing the msspi entry with ispfix did it.
After that, I could delete the file w/out any problems...
Alright, I'll sum up what I did for people w/ the same problem.

1. Run Spybot 
2. Run Hijack This and fix the keys concerning starting page, search page etc. in which unipages.cc can be found ( or post it here if unsure)
3. Run Ispfix and remove the msspi.dll entry
4. Rename msspi.dll or keep a backup because its safer that way, I didnt do a long term test yet.

Thank you very much Rollin' Rog, I appreciate your help a lot.


----------



## Rollin' Rog (Dec 9, 2000)

Hey that's great; it's always especially satisfying to find and snuff some new rascal like that 

You're most welcome for the help.

I'm sure this thread will be one Googles favorite cached links in no time.


----------



## Toddeo (Jul 25, 2003)

Thanks to Katharsis for pointing me in the right direction, and rollin rog for the solution. I followed all your instructions and am now making normal searches in Google again thankfully.


----------



## stevie77 (Jul 5, 2003)

I am still having problems where the web page coolwwwsearch is still popping up every so often. I thought the problem had been resolved since the last time I was in bother (5/7/03) with it, but somehow it has crept back in. The problem is nowhere near as bad as last time. Attached is my log file if anyone can help.


----------



## TonyKlein (Aug 26, 2001)

You've more than "just" CWS.

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.1stpagehere.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.1stpagehere.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.1stpagehere.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.1stpagehere.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/cd/Browser_Plugin.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://www.phonesys.net/EPlugin.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab

O19 - User stylesheet: C:\WINDOWS\default.css*

Now restart your computer, and delete the following:

The :\WINDOWS\SYSTEM\MSREXE.EXE file
The c:\windows\winlogon.exe file
The C:\WINDOWS\default.css file.

And Run an online virus scan at Trend Micro HouseCall or Panda Active Scan


----------



## TonyKlein (Aug 26, 2001)

> stevie77 wrote on 07-28-2003 09:49 PM:
> Tony,
> thanks for the help. I have deleted exactly what you suggested but I cannot delete the MSREX.EXE file. It comes back with the specified file is being used by windows. Any suggestions?
> 
> Stevie77


Are you sure you restarted your computer after having HT fix its startup entry?

Start your computer in Safe Mode, and delete the file there.

Then, still in Safe Mode, re-run Hijack This, and make sure the items mentioned have been fixed.

That should work.

And do run that online scan!


----------



## stevie77 (Jul 5, 2003)

Tony,
I did the restart, after the fix. I will try the run in safe mode. 

Thanks again
S.


----------



## stevie77 (Jul 5, 2003)

Tony,
I ran the Panda active scan and it found Three infected files. This seems to have cleared the problem for now. 
Thanks again for your help


----------



## TonyKlein (Aug 26, 2001)

No prob. It's a pleasure!


----------



## Rollin' Rog (Dec 9, 2000)

Folks, to enable the best support for this coolwwweb problem I am going to close this thread. Please, if you need help, start a separate thread and include a copy of your HijackThis Scanlog, a description of the problem and any steps you have taken so far.


----------

