Help! Infected with "Cool Web Search" Trogen

[bubba]

Help! Infected with "Cool Web Search" Trogen

My kid (I think) got the computer infected with the Cool Web Search Trojan virus. It puts stuff on my favorites list and pops up windows that my blocker won't block.

I have tried CW Shredder and NAV - nether have worked . I even bought No Ad Ware for $29 - no joy.

Can any one help me with this?

Thanks,

Eric
________
THREESOME XXX

 

[sshekels]

Look here for a utility:

http://8help.osu.edu/1759.html

Also, try spybot (in conjunction with ad-aware) - http://www.safer-networking.org/en/index.html

Download, install, and run. Make SURE you check for updates, download them, immunize, and then check for issues. The first time it is run, a wizard will help you.

S.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trojan

Thanks Scott and Steve.

I re-downloaded Spybot and ran. Twice it hung up after I told it to Fix. Finally it finished. Didn't remove it.

I also tried to download the beta version of the MS utility, but I couldn't because I could not find my original MS Windows authentication number.

The problem still remains.

Any other suggestions?

Thanks,
Eric
________
Body science

 

[sshekels]

Did you try the removal I listed in the first link? It may be killing CWShread. See: http://download.softpedia.com:8080/ANTIVIRUS/delcwssk.zip

Also, maybe look here:

http://www.pchell.com/support/onlythebest.shtml

this one is a pain...

 

[wsuffa]

CWS is ugly to remove.

You'll want Spybot Search & Destroy and you'll want an anti-virus program. Might as well get AdAware while you're at it and search for others.

Run all of them and tell it to clean up any spyware & viruses they find. You may need to run multiple times. If that doesn't work, you'll need to reboot the machine into the administrator mode and try it from there. You may also need to disable or turn off the system restore feature, sometimes the spyware uses that to restore itself after cleaning. I would also consider getting a program called HijackThis from TomCoyote.org which allows you to manually clean up the registry. HijackThis requires a little more techinical skill.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Scott,

I did try the link you provided. It said that I did not have the program that kills CWShredder. So far nothing has worked.

Thanks,
Eric
________
THE APPRENTICE FORUMS

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

CWS is ugly to remove.

You'll want Spybot Search & Destroy and you'll want an anti-virus program. Might as well get AdAware while you're at it and search for others.

Run all of them and tell it to clean up any spyware & viruses they find. You may need to run multiple times. If that doesn't work, you'll need to reboot the machine into the administrator mode and try it from there. You may also need to disable or turn off the system restore feature, sometimes the spyware uses that to restore itself after cleaning. I would also consider getting a program called HijackThis from TomCoyote.org which allows you to manually clean up the registry. HijackThis requires a little more techinical skill.

Bill,

I did try S&D and Ad Aware- no joy.
I will go try your other link now.

Thanks, Eric
________
Mercedes-Benz C292 History

 

[sshekels]

Ok, now it gets ugly...

Are you ok with regedit? The next step would be to see whats loading with windows..

 

[gibbons]

You might download something like "Windows Startup Inspector".
http://www.windowsstartup.com/

Some of these program load commands in your startup deck (how old school is THAT?) that re-installs the popup machine when you re-boot. So you clean it up and the next time you boot up.... there it is again.

People who write popup ads, send spam, and write virus software are the best argument for the death penalty in this country.

 

[drhunt]

I had a similar situation on my daughter's laptop last year. I discovered Computer Cops (now http://castlecops.com/) and solved CWS and a ton of other problems. Check out the site. You'll need to post on their site and someone will respond to your problem with specific steps and software that may be necessary to download.

Good luck!

 

[Brian Austin]

I've fixed dozens of these, unfortunately. Thankfully, none of them have been in my office (knock on wood).

Download and install both Spybot and Adaware. It sounds like you're there already. Make sure they are up-to-date (Spybot has Check for Updates, not sure about Adaware). Don't bother running them.

Reboot and hit F8 BEFORE you see the Windows splash screen. I usually keep tapping it after I hit the power switch. A menu will pop up in DOS mode. Select Safe Mode only. Not with network support.

Once in Safe Mode (it will give you all kinds of warnings on the way in), go back to Spybot and Adaware. Run them both (don't have to check for updates 'cause you updated them earlier, right?). This normally fixes the problem.

The reason: a lot of spyware now have babysitter processes built-in. It actually starts TWO processes and they each monitor the other. They also check for any changes to the startup config (regedit, Startup folder, etc.) and make sure their processes haven't been deleted. If a anti-spyware app clears one process, the other detects it, restarts the process from a backup somewhere and, by the time the anti-spyware hits the second process, the first restarted one has it covered. Nasty stuff but I have to admit, it's rather ingenious. I've watched it happen on a test box.

In Safe Mode, Windows only starts the absolute minimum to give you a GUI. Nothing else starts so the processes aren't active to babysit. You'd be surprised at how much more effective anti-spyware is in Safe Mode.

Good luck.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Hi Brian,

I did just like you suggested, no joy.
When I open IE I still get popup windows and there are 11 new bookmarks in my Favorites.
When I try to delete the bookmarks, I right click and the only option available is Close Toolbar.
If I go to one of my bookmarks (like POA) and right click I get the normal list of options.
When this thing started today, the first thing was that it changed my home page to some search page. Then I noticed the bookmarks.

Man this is getting irritating!

Thanks for the try though,
Eric
________
Weed vaporizers

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

I had a similar situation on my daughter's laptop last year. I discovered Computer Cops (now http://castlecops.com/) and solved CWS and a ton of other problems. Check out the site. You'll need to post on their site and someone will respond to your problem with specific steps and software that may be necessary to download.

Good luck!

David,

I checked out castle cops and another poster is having the same problem. I will monitor his progress and see if they beat it. So far they were unsuccessful.

Thanks,
Eric
________
buttsex Cam

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Ok, now it gets ugly...

Are you ok with regedit? The next step would be to see whats loading with windows..

I have used regedit before.
I'm not too savy though......
Eric
________
Motorcycle Tires

 

[sshekels]

Eric - if you want, give me a call this week, and I'll help you over the phone, or I could make a house call. It'll be a good excuse to fly over to 21d!

 

[Brian Austin]

Check out Nick's thread re: spyware. It may be in your hosts file, too.

 

[sshekels]

If its changing right click behaviour, its got a DLL registered with IE.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Eric - if you want, give me a call this week, and I'll help you over the phone, or I could make a house call. It'll be a good excuse to fly over to 21d!

Thanks Scott! That is really generous! And, I may need to take you up on your offer. I would of course provide dinner and the non-alcoholic beverages of your choice!

I have been following a thread on CastleCops and the last recommendation (posted this am) is pasted below. I will wait to see if it works and then give a try. If this thread does not work out, I will look up your number and give you a call. I really appreciate your help on this!

Eric


Scan again with HijackThis and check the following items:
Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\czhri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\czhri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\czhri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\czhri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\czhri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\czhri.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\czhri.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A3C53C5A-AEA9-B83C-6286-3CF10064FF9A} - C:\WINDOWS\system32\atlvw.dll
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\syszo32.exe (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)


Find and delete these files (if they are still there):
C:\WINDOWS\czhri.dll
C:\WINDOWS\system32\atlvw.dll
C:\WINDOWS\syszo32.exe

Stay in safe mode



Start CWShredder

Click "Fix" to remove the CWS infection.




Start About:Buster
Click Start to begin the scan.

- If prompted to end the Explorer.exe process, click Yes.
- Your desktop may disappear --- this is normal.


Allow the program to scan twice, and when complete click "Save Log".
This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Please post the entire contents of that logfile here for me.
Please also restart your computer and post a new HijackThis log.
________
Wendie 99

 

[drhunt]

Eric,

If you've not already done so, you should download and run HijackThis to be sure you have the same entries on your system. I'd actually recomend just posting your log as the start point for them to look at. It is hard to be sure that the other poster has the same issue and you may have something in addition to CWS.

Best,

David

 

[Flyboy]

Sometimes Cool Web variants install dll's that regenerate dlls that reinstall the web search if it's removed. If it's a new iteration of the hijack, the tools won't catch it. Run a find (in safe mode) of dlls created within the last month and you will see several probably on a specific day with a recent date. Delete them in safe mode. Then run all the tools and scan the registry.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Sometimes Cool Web variants install dll's that regenerate dlls that reinstall the web search if it's removed. If it's a new iteration of the hijack, the tools won't catch it. Run a find (in safe mode) of dlls created within the last month and you will see several probably on a specific day with a recent date. Delete them in safe mode. Then run all the tools and scan the registry.

Thanks Ron,

I will try this tonight when I get home.
So far, this thing is kickin my A$$!

Eric
________
WEBSITE DESIGN

 

[sshekels]

BE VERY CAREFUL doing that. You can just as easily kill off MS upadates, new software, etc...

CAUTION WILL ROBINSON!

 

[Flyboy]

BE VERY CAREFUL doing that. You can just as easily kill off MS upadates, new software, etc...

CAUTION WILL ROBINSON!

Good point!

All the ones I've seen are obvious that they aren't system stuff. When in doubt, copy them to a cd and put the cd and in a fire proof lead lined box so they can't infect anything else in case you need to restore a deleted file.

I fought this thing for a month until I finally figured that out. Took out the dlls and *poof* no more coolweb. (I then restricted the site on the users machine.)


Cool web swears it's not them and that they don't condone this activity, but it's pretty obvious they are behind it and a lot of site have picked up there Idea.

I think installing some patches also disable the ability for CW to exploit your machine but I don't know which patches they are.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Sometimes Cool Web variants install dll's that regenerate dlls that reinstall the web search if it's removed. If it's a new iteration of the hijack, the tools won't catch it. Run a find (in safe mode) of dlls created within the last month and you will see several probably on a specific day with a recent date. Delete them in safe mode. Then run all the tools and scan the registry.

Ron,

I did as you suggested and ran safe mode, found *.dll for the past week.
I erased about 10 that I could tell were not associated with any programs I installed, from the day that this all started.

Then I did Spybot S&D - clean.
Ad-Aware SE - clean.
CW Shredder - clean.

Reboot - Open IE - same thing. CRAP!!!!!

Thanks for the suggestions.
Eric
________
Group Sex Cams

 

[Brian Austin]

Eric, have you checked IE add-ons? Tools menu...Manage Add-ons. See if anything looks unusual. You might see an add-on for any toolbars you're using (Google, Yahoo, etc.) or Instant Messaging. I've got one for my PDA as well.

You can disable an add-on by clicking on it and hitting Disable at the bottom of the window.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Eric, have you checked IE add-ons? Tools menu...Manage Add-ons. See if anything looks unusual. You might see an add-on for any toolbars you're using (Google, Yahoo, etc.) or Instant Messaging. I've got one for my PDA as well.

You can disable an add-on by clicking on it and hitting Disable at the bottom of the window.

I disabled a couple that I didn't recognize as programs I know about.
It seemed to help a bit.
It sped up the system and - so far - the search bar that used to start doesn't!
I still can't get rid of the bad favorites yet. Or the pop ups.

Thanks for the help.
Eric
________
Oregon Medical Marijuana

 

[Flyboy]

Dumb question:

Did you go into IE tools>internet options and change your home page back to what you want?

I'm pretty sure you have to do that manually on this also. At least I did.

Otherwise, the CW is a cruel shrewed hijack that is constantly morphing. Keep hacking at it with all these tools and try to think outside the box. Somewhere on your system is a file that kicks this thing off, you just have to find it.

 

[drhunt]

Eric,

I feel like I'm watching the death of 1,000 cuts...
1.Download HijackTHis
2.Run and post log on Castlecops.com
3.Follow their specific instructions precisely
This will work out for you.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Eric,

I feel like I'm watching the death of 1,000 cuts...
1.Download HijackTHis
2.Run and post log on Castlecops.com
3.Follow their specific instructions precisely
This will work out for you.

Hi David,

I did post my HJT log two days ago.
So far no reply. They are pretty busy I'm sure.
I'll keep watching.

Eric
________
Paxil settlement update

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Dumb question:

Did you go into IE tools>internet options and change your home page back to what you want?

I'm pretty sure you have to do that manually on this also. At least I did.

Otherwise, the CW is a cruel shrewed hijack that is constantly morphing. Keep hacking at it with all these tools and try to think outside the box. Somewhere on your system is a file that kicks this thing off, you just have to find it.

Yes, I did change back. And it stayed that way so far.
I'm hoping that the Castlecops guys can help me.
Eric
________
VAPORIZERS

 

[BillG]

Eric, e-mail your HJT log directly to me and I'll help you out.

Bill G
www.GoodComputerGuy.com

 

[inav8r]

My kid (I think) got the computer infected with the Cool Web Search Trojan virus. It puts stuff on my favorites list and pops up windows that my blocker won't block.

I have tried CW Shredder and NAV - nether have worked . I even bought No Ad Ware for $29 - no joy.

Can any one help me with this?

Thanks,

Eric

I've not read this entire thread, so please don't shoot me for chiming in at this late date, but have you tried Add/Remove Programs from the control panel? My kids recently got this and I was able to just uninstall it and then use ad-aware to clean up the remnants.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

I've not read this entire thread, so please don't shoot me for chiming in at this late date, but have you tried Add/Remove Programs from the control panel? My kids recently got this and I was able to just uninstall it and then use ad-aware to clean up the remnants.

Mike,

Do you remember what program was it that you uninstalled?
I could look for it.....

Thanks,
Eric
________
Wendie 99

 

[drhunt]

OK, I wasn't sure if you had done that. I've normally had responses within 12-24 hours. 2 days seems a bit long, but suggest you keep checking.

Again, I hope this works for you soon.

 

[bubba]

Re: Help! Infected with "Cool Web Search" Trogen

Eric, e-mail your HJT log directly to me and I'll help you out.

Bill G
www.GoodComputerGuy.com

Thanks Bill, the log is on its way!
Eric
________
Pornstars Blonde