Coolwebsearch troubles continue

[srbarnes4ever]

Still having repeat problems with CWS on my Win2k pro laptop...can't seem to shake this variant I have...it continues to rename itself with a new ***.dll file that seems to trigger or be the catalyst for a bunch of registry changes and exploits of IE. Adaware finds it, Hijack this finds it, CWS finds both Jsearch and Searchx variants...but upon reboot...all is back to exploitation mode.......need help....

[Jstyr]

check out this page, especially the "Terminating CWS" section. http://www.scumware.com/apps/scumware.p ... lications/

Seems like a nastier than usual bug. I can't personally vouch for CWShredder, but the CoolWWWSearch.Smartkiller is made by PepiMK who also puts out Spybot.

I'd try these 2 programs and see if it fixes it.

[YeOldeStonecat]

Seems like a nastier than usual bug.

Yah it's evil!

[Philip]

CWS Shredder from http://www.spywareinfo.com/~merijn/downloads.html should do the job...

[blebs]

Disconnect from the internet when trying to terminate this thing. It connects and that's when the name changes occur because it updates itself. Post the hjt and adaware logs and let me see if I can find what to short circuit to get the job done.

[srbarnes4ever]

CWS Shredder from http://www.spywareinfo.com/~merijn/downloads.html should do the job...

Been there..attempted that...none worked..tried versions 1.57, 1.58, and 1.59 to no avail....

[srbarnes4ever]

Disconnect from the internet when trying to terminate this thing. It connects and that's when the name changes occur because it updates itself. Post the hjt and adaware logs and let me see if I can find what to short circuit to get the job done.

I've used Adaware, Coolwebsearch, Hijack this and others...all in SAFE MODE, with no network enabled...and this thing keeps coming back.

[blebs]

None the less, can you post the logs for me to look at? I just had one that I dealt with that I thought was cool web and it turned out to be pepper instead. It took some extra settings and tweak or two in Adaware, but between AAW and HJT we got rid of it.

[srbarnes4ever]

None the less, can you post the logs for me to look at? I just had one that I dealt with that I thought was cool web and it turned out to be pepper instead. It took some extra settings and tweak or two in Adaware, but between AAW and HJT we got rid of it.

Will have to do so from home tonight...that's the other missing detail here...I have YET to see the exploitation while logged into my business network (either at the office or via VPN from home) and using IE. We have a proxy server but its not clear to me why that's stopping the exploit. As soon as I get onto a non-secure IE environment, whammo! Any thoughts?

[YeOldeStonecat]

We have a proxy server but its not clear to me why that's stopping the exploit.

Proxy, depending on what it is, version, etc, can stop outgoing traffic. Can be a true 2 way firewall, especially if it's ISA2000.

[srbarnes4ever]

None the less, can you post the logs for me to look at? I just had one that I dealt with that I thought was cool web and it turned out to be pepper instead. It took some extra settings and tweak or two in Adaware, but between AAW and HJT we got rid of it.

I'd be interested in the extra settings for Adaware...I think I have about everything checked that's available in the Settings section but perhaps not.
I'm home now and rebooted my laptop. I first ran a HJT log and got all clear. Then ran Adaware and it has found 2 registry values. I did NOT remove the registry entries yet. I re-ran HJT and again didn't find anything out of the ordinary. Up until then I have not had one of the takeover popups hit me (Spybot or Spywareguard). I just now opened CWS and it for the first time is giving me the CWS.Smartsearch.2 variant. I'm going to go ahead and let CWS try to clear this out. Again, this is the first time I've gotten this error.

[blebs]

Re-boot/Restart the computer. Now with Ad-aware;

Please make sure that you have these options checked:

Under Ad-aware 6 > Configurations > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Also, please check to see if you have the option "quarantine all objects prior to removal" checked. Open Ad-aware > General Options, there is an option "Automatically Quarantine objects prior to removal

Run ad-aware, Use the In-Depth scanning mode.

Mark the objects for removal you wish to get rid of, and then choose next.

Be sure to reboot/restart your computer after removal.

IMPORTANT

Now if you get to the point where you are trying to remove all of the objects and you have waited a sufficiant amout of time and are sure that the removal has failed...

Try to remove the objects selectively.

In the results window.
Highlite one object that there seems to be a bunch of.
Right click and choose the command to highlite all of those entries.
Then remove them.
Do this with all of the entries with multiple objects.
When you are reduced to just the others with one or a few, remove them.
It may take a couple of scans to complete, but it should work for you.
This is something that is happening on a few rare occasions and we are trying to pinpoint the cause of it, so if you see anything that you think we should know during this removal, please let us know....

Please Note:

After removing a Browser Hijacker Ad-aware 6 will set your Start Page to "Blank".
So you may need to set the Start and Search pages in your Browser manually back to your prefered one.
The reason is, the Hijack has changed the page, since Ad-aware 6 does not know what it was set to before, it resets it to a blank page.
If you do not see any differences, then disregard this.....

[_uNDeRsCoRE]

srbarnes4ever

check this out, maybe this cud help...
Panda's new online virus/trojan/worm scanner

Source:
http://forums.spywareinfo.com/index.php ... martsearch

[srbarnes4ever]

Can't seem to get rid of this variant...keep seeing an sp.html file in my Docs&Settings/IE folder along with a funny dll and other registry entries such as OLD Home page something or another.... CWS finds jksearch at every reboot and Adaware finds 4 - 6 entries as well....HJT finds them only AFTER I've used either CWS or Adaware to yank them out. Any other suggestions....bout ready to **** can this laptop..but its a company unit so I'm stuck with it for a few more months.