I got raped by coolwebsearch from onemoresearch.net DONT GO THERE!
I cleaned everthing with ,ad-aware, spy doctor, spybot. spysubtract and CWShredder and it keeps coming back! I also found the .nlm7lAx1-9 in my services. I see javxo.exe and apies.exe in ad-aware. Ad-aware gets to the point ot crashes. I went in safe mode ran and cleaned everything but It keeps coming back. I just want to smash there heads in!!!!!!!! what do I do?

:mad:

I got the .nlm7lAx1-9 disabled and it seems not to be reloading but now how do I delete it from my servcies?

Matt H,
Please download Hijack This (http://www.subratam.org/?page=removal), install it in a folder on the HDD and scan the PC with all files shown (no hidden files). Copy and paste the resulting file into this thread as a reply and wait for one of our HJT experts to explain which items to remove before removing anything. Some of this stuff must be removed in layers and in a particular order.

Logfile of HijackThis v1.99.0
Scan saved at 04:12, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

Did you run that log in Normal mode?? it needs to be...

Also, did you edit it or put anything on the whitelists??

Nothing was edited at all and I ran it in normal mode. I got so mad that I just selected all from hijack this and clicked fix. I think that .nlm7lAx1-9 was doing the reinstalling but now I want to remove it from my services. Its disabled and I havent seen anymore coolwebsearch.

Here it is again did it during this post.

Logfile of HijackThis v1.99.0
Scan saved at 07:50, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Xfire\Xfire.exe
G:\Sonic Foundry\Sound Forge 7.0\forge70.exe
C:\WINDOWS\winhlp32.exe
G:\Valve\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Applications\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

Well your log looks clean, but if you just fixed everything in HJT you are likely to have all sorts of problems as a result... It is NOT a good idea to do that and you are lucky the computer is still working.... :eek: :eek:

What I did was disable the service nlm7lAx1-9 service, removed everthing from hijackthis and ran every spyware cleaner I had. I think one of the spyware cleaners repaired my IE after I did remove all from Hijackthis. wasnt think I was so mad. Cause either way my IE start would go to a page and download those unwanted files and if I cleaned it and It would install them again from the .nlm7lax1-9 service when I rebooted. So it made a hook or something.

Now can you tell me how I can delete this service or where to find where its regeristing from? Thats my next step. Thanks

I don't see any evidence of the service in your log.... are you still seeing evidence that it is there?? If so, we will probably need to do a StartupList Log and see if we can find it there...

I suspect the only reason your computer is still working is that HJT has whitelists with the most common and essential files that don't show up in the log, so you weren't able to mess them up when you fixed everything in HJT... I still don't recommend that you try that again... Ask for help first...