CoolWebSearch wont go away

[Tokar]

Windows XP Pro

My broser keeps getting hijacked by CWS. CWShredder says its CWS.HiddenDLL and it removes it, or so it says. Only to come back a efw reboots later.

When doing HijackThis without the CWShredder program, it finds a few problematic entries...

it finds that two of the IE webpages are set to CWS standard page:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1<user>\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\<user>\LOCALS~1\Temp\sp.dll/sp.html

Then it finds:

O2 - BHO: (no name) - {BF160F57-828F-42E6-9FD4-3C6D4BE29528} - C:\WINDOWS\system32\<random name>.dll

And:

O18 - Filter: text/html - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll

O18 - Filter: text/plain - {584D71CB-AD29-45F9-ABB4-AFA6A9688486} - C:\WINDOWS\system32\<random name>.dll

Where <random name> is some randomly generated alphanumeric code, in this case jjgd...and is the same for all three of them.

And lastly, it finds a key, which i dont have a log of, but its in the registry location of the startup\run stuff, and is a rundll32 of the se.dll as mentioned earlier.

Now...

If I decide to remove this stuff in hijackthis before killing the rundll32.exe service inthe processes, it does nothing, and everything i checked returns. If i kill the process rundll32.exe, I can delete the entries for good, until it comes back a few reboots later.

After killing rundll32, actually even without kkilling it, I'm able to delete the se.dll file in the temp folder. But after a few reboots the file returns, the thing is in the startup, all those entries and back and my homepage is hijacked (as well causing a lot of my softwares to crash, like explorer.exe and msimn.exe [outlook express]).

I would figure that after I do all the HijackThis word and CWShredder work it would be gone, but its not.

I remember someone told some other guy who had a recoccuring CoolWebSearch on his system to check this reg entry, App Init Dll...i cant remember its location. But it owuld have something that the Windows registry editor couldnt read, and something like Registrar Lite could do it, as well as say if there is actually something there.

I used RegistrarLite and it said the key size was 0, that nothing was there.

So I'm clueless. I have no idea how to remove this thing.

Anyone have any ideas?

Edited February 12, 2005 by Tokar

[Jaded]

Before running CWShredder, are you turning off system restore? Also try MS anti-spyware. I have found it pretty good in removing CWS.

[Tokar]

Before running CWShredder, are you turning off system restore? Also try MS anti-spyware. I have found it pretty good in removing CWS.

585456827[/snapback]

ive had system restore off since day 1.

MS Antispyware doesnt find anything to tell you the truth. Excuse me, I'm using GIANT Antispyware, most recent version (1.0.301 or something), which is the last version before it became MS Antispyware. It finds nothing.

[Marsden]

Like the man said, move up to the real deal...

[Hawkeye]

Hmm. This does look like something I have seen before. It may be a very nasty variant of CWS, but I'm not 100% sure at this point.

See my post here from a few weeks ago. It's long and detailed, but make sure you read all of it carefully and see if it will work for you.

If I remember correctly, your homepage in Internet Explorer is most likely hijacked and is set to about:blank. When this variant of CWS isn't on your computer, about:blank is supposed to show a blank white page. Since the CWS is on your computer, it likely shows some search engine-like page.

Edited February 12, 2005 by Hawkeye

[Buzz99]

There is a new version of cwsshredder somewhere. Get some antispyware soft ( ad-aware, spybot, spywareguard, spywareblaster and YES Microsoft antispyware ) clean your sys and wait a day. Do the same if CWS come back. You can beat spyware !!!

[Tokar]

OK...

marsden: GIANT is the same as Microsoft. it uses the same engine and the same antispyware definitions. It doesnt matter which u use. In fact GIANT is a bit better since it comes with some built in code to prevent certain activeX hijacks, something which Microsoft removed and hopefully will add at a later time (it was called System Innoculation)...GIANT tells current users not to upgrade, rather to let their current subscription to run its length.

Hawkeye: yeah that thread, the one i had replied in. if you look in my original post in THIS thread, i had said there was nothing showing on App Init DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs...that is the location, i checked there. That was the first thing i did actually...i went and read your post when i first got the infection.

buzz99: CWShredder 2.13. As i said in my original post it finds CWS.HiddenDLL. It says it removes it, but it keeps coming back. I have spyware blaster, but that isnt really a spyware remover, rather something that secures your computer to protect against further infection. I dont need or want AdAware or SpyBot. And as i said Microsoft = GIANT...its the exact same product. Ive just waited a day and it came back after cleaning.

heres the only update i have...

I was deleting the file c:\documents and settings\<user>\local settings\temp\se.dll....which it was first running. But after i deleted that it would put itself in c:\windows\temp, same dll, and initializing it there, which i didnt notice until after i made the post. I thought deleting it would fix it, but it didnt.

[k22]

are you closing all windows (IE and explorer) when you run CWShredder? Also, it would not hurt to try ad-aware and spybot (both detect coolwebsearch as well); you can uninstall them if they don't remove it.

[ghostwind]

you should try using a browser like firefox. unless you have to surf websites that use activex, and other microsoft unique features, firefox is a much more secure product.

[Tokar]

you should try using a browser like firefox. unless you have to surf websites that use activex, and other microsoft unique features, firefox is a much more secure product.

585461830[/snapback]

thanks but no thanks.

As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion. Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice. Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).

As fas as the guy who said about closing IE and such. yeah IE is closed when i run it.

I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?

if yes, i'll let you know my results after the runs.

[Tokar]

ok...now this time Kaspersky, when opening Internet Explorer and getting the about:blank page, says that se.dll is infected with:

Trojan.Win32.startpage.gn

And it deletes it.

It deletes the two se.dll files when i open up their folders:

c:\documents and settings\<user>\local settings\temp

c:\windows\temp

Now that I have deleted the DLL's (they no longer exist), every program that relies on some component of windows or something crashes since its tied to the missing DLL i believe. It wont be until i reboot that everything fixes itself.

This includes explorer.exe, Internet Explorer, Outlook Express...to name a few.

Everytime i run an explorer window or internet explorer window i get this...its as if it creates the DLL now when i open it.

Edited February 13, 2005 by Tokar

[ghostwind]

thanks but no thanks.

As i tell every other person who suggests this...this is pretty bad advice to give anyone if you ask of my opinion.  Most people prefer not to change what they use on the computer...and suggesting they do such is not usually good advice.  Its usually the last advice i give anyone in need of help on a certain program (to tell them to use another program that does the exact same thing).

As fas as the guy who said about closing IE and such.  yeah IE is closed when i run it.

I suppose i can give adaware and SB a try...im assuming you mean run those things AFTER i clean up the system (or what i believe to be clean), yes?

if yes, i'll let you know my results after the runs.

585461988[/snapback]

Simmer down... It really isn't that big of a deal. I was just stating a known fact about firefox. It isn't microsoft's fault that it has 95% of the market share, and it subject to numerous vulnerabilities... anyways, you can always try blocking the program from running through software policies if you are runnning XP Professional.

[k22]

start, run, sfc /scannow to replace any damaged/missing system files

also yes run both adaware http://www.lavasoft.de/ & spybot http://www.safer-networking.org/

[Tokar]

Simmer down... It really isn't that big of a deal. I was just stating a known fact about firefox. It isn't microsoft's fault that it has 95% of the market share, and it subject to numerous vulnerabilities... anyways, you can always try blocking the program from running through software policies if you are runnning XP Professional.

585462029[/snapback]

im not upset, nor is the hair on my back raising up like a ****ed off cat. Im just stating what I think when people suggest that.

[Hawkeye]

Tokar, my apologies for making such a generic reply and not reading through your entire post. It was about 5:00 AM in the morning when I posted the first time, half asleep. :blush:

I did read your whole post this time. I actually did some research on the side with this also, and it actually appears that there is a newer CWS variant going around that also has the about:blank homepage hijack in Internet Explorer, but isn't fixed using the methods for the other one. History may actually come to show this variant more insidious than the other one from before!

Here is one thing that may or may not work, but there is no harm in trying it. It's a removal tool from Symantec that is supposed to remove the particular spyware/trojan responsible for it. It may or may not work if you have the new variant, but as I said, there is no harm in trying. Here it is: Backdoor.Agent.B Removal Tool.

Post here to let us know if you have any success at all with it. It will scan your hard drive and remove it if it finds anything, or report that it found nothing if that is the case.

[Tokar]

i installed a trial version of webroot spysweeper.

there is so much junk on here that GIANT/Microsoft fails to detect its not even funny.

Even after removing it, it all comes back by itself for Webroot to detect all over again.

Interestingly, Spy Sweeper detects CWS on the system. I have to go back and check the logs as to which is it. All it detects under it though is about 15-20 registry entries...no files or folders. It keeps coming back though.

I tried AdAware but it kept on crashing right as it finishes the scan. I hit cancel twice, and nothing shows up in the results. *shrugs*

[DJ Trauma]

Did you guys try Spybot Search&Destroy? It's free and it can match the commercial ones.

[umteen]

I wonder where you picked up this "oh so hard to get rid of" variant of cws?

I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?

I wonder how you have it set up?

Anyway for cws there is always this site of course.

http://www.spywareinfo.com/~merijn/cwschronicles.html

[speak.up]

I think I had the same problem on my father's computer... SpySweeper would detect the CWS and 'remove it' but after I restarted the machine it would come back... :angry: ...

I run Ad-AWare, SpySweeper and even Spyware Doctor and nothing would get rid of it... Finally, I was able to get rid of it with HijackThis

In HijackThis I did the following:

I checked all the entries with about:blank, some suspicious BHOs, the two Filter:text and some of the entries that include the 'search, bar'... I had to do it twice since I forgot some entries and after I rebooted CWS had come back... I don't remenber deleting any dlls... But I could check in the backup in case it helps... :yes:

Hope you can get rid of it... I know how annoying that can be... :x

[Tokar]

Did you guys try Spybot Search&Destroy? It's free and it can match the commercial ones.

585468705[/snapback]

dont want to burst your bubble..but have you read this article?

http://windowssecrets.com/050127/

Product Adware Fixed  False Pos. 

  Giant AntiSpyware 63%  0 

  Webroot Spy Sweeper 48%  0 

  Ad-Aware SE Personal 47%  0 

  Pest Patrol 41%  10 

  SpywareStormer 35%  0 

  Intermute SpySubtract Pro 34%  0 

  PC Tools Spyware Doctor 33%  0 

  Spybot Search & Destroy 33%  0 

  McAfee AntiSpyware 33%  9 

  Xblock X-Cleaner Deluxe 31%  1 

  XoftSpy 27%  3 

  NoAdware 24%  0 

  Aluria Spyware Eliminator 23%  3 

  OmniQuad AntiSpy 16%  1 

  Spyware COP 15%  0 

  SpyHunter 15%  1 

  SpyKiller 2005 15%  2   

[Tokar]

I wonder where you picked up this "oh so hard to get rid of" variant of cws?

I've all faith in GIANT antispyware for preventing it installing in the first place, yet you say that you are a user?

I wonder how you have it set up?

Anyway for cws there is always this site of course.

http://www.spywareinfo.com/~merijn/cwschronicles.html

585468737[/snapback]

its easier for me to play this off as being my computer (which it isnt), than to describe what the problem actually is.

The problem is such:

Someone i do computer work (as in fixing and such) has her computer and 2 other laptops, and her computer, a desktop, is badly infected, which is the computer being described in this thread. Its much harder to me to coach her over the phone or over AIM since she isnt really that fast at doing this computer stuff. Currently Im unable to goto her house to fix her computer because Im at school 100 miles away from her house. The way I'm fixing her computer, though, is by using RealVNC (hopefully you know what this is...if you dont, its like remote desktop, where i can see and control her desktop as if it was my own). This is very helpful and she appreciates me spending the time to try to fix her computer.

Now, having said that...would you rather me play this off as my computer? Or say its a friend's computer and have you say "tell your friend to try this" "tell your friend to try this"...and make it seem like im a middle man relaying messages back and forth?

[Tokar]

I think I had the same problem on my father's computer... SpySweeper would detect the CWS and 'remove it' but after I restarted the machine it would come back...?:angry:: ...

I run Ad-AWare, SpySweeper and even Spyware Doctor and nothing would get rid of it... Finally, I was able to get rid of it with HijackThis

In HijackThis I did the following:

?  I checked all the entries with about:blank, some suspicious BHOs, the two Filter:text and some of the entries that include the 'search, bar'... I had to do it twice since I forgot some entries and after I rebooted CWS had come back...? I don't remenber deleting any dlls... But I could check in the backup in case it helps..:yes:yes:

Hope you can get rid of it... I know how annoying that can be..:x? :x

585468761[/snapback]

ive done HijackThis a million times.

After cleaning it off, and in the period of time when the computer "seems" fine, all the entries in HijackThis look, and are, completely safe (then again, maybe something is being tied into the AOL Instant Messenger executable...lol).

It takes under a day for everything to come back though...at that point, HijackThis reports the bad O18 entries of the wacky CWS dll in C:\windows\system32, there are two R1 entries for the \sp.dll/blank webpage, and there is i think an O13 entry for that same wacky dll...all of which i remove.

At that same point, opening Explorer windows (such as My Computer), or opening Outlook Express, or Internet Explorer, creates the file C:\windows\temp\se.dll and appends an entry to the startup to do a rundll32 on that dll. Kaspersky sees it being created and reports that its infected with Trojan.Startpage.Win32.gn and it asks me to delete it. Since it denies windows access to the DLL, Windows gives me an error saying that access is denied to the file se.dll. I delete it and it goes away, only to try to recereate adn be redetected by Kaspersky when i open any of these programs again.

Now...at the state of "seeming" clean. If i reboot, it never does that junk with the se.dll. But as i said, it takes less than a day while the comptuer is running to reinfect itself.

Edited February 14, 2005 by Tokar

[dan]

Ive said it before and i'll say it again...

Format, format, format...

Dont say its not an option its just pure laziness... Do a proper backup and format

[Tokar]

Ive said it before and i'll say it again...

Format, format, format...

Dont say its not an option its just pure laziness... Do a proper backup and format

585468819[/snapback]

in most case circumstances i would do that.

if you read up 3 posts including yours, you will see that the problem is not with my computer, rather with a person i do computer work for. I havent said such until now because i figured it would easier for you guys to say to have ME to something, rather than treat me as a middle man and say for "her to try something". Maybe its not easier, but from my experiences with such threads in which its a friend's computer who has the problem, id rather be helping a person straight up, because i get the feeling with such threads that he has to relay that message onto the friend, he does it, sends back the results, then the post comes in, and the cycle starts all over. Its kind of something that makes you feel negative about the original poster, so much so that you dont feel like waiting for such delayed responses.

Now, is formatting an option?...for now, its not. 1) she isnt capable of formatting 2) im 100 miles away to manually do it (since im the only one she knows who can do it), and i really dont want to be backing up her stuff over VNC having her sit at the computer and pop in blank CD's everytime im ready to make a new CD.

Since Im going home for presidents weekend (home being where she is located as well), I will suggest it to her. Otherwise, until then I will try to fix this via conventional antispyware means over RealVNC.

Believe me...Im not trying to say that this is bad advice like the guy who suggested using Firefox (sure using Firefox will get around those nasty about:blank problems, but what about the infection...it still remains right?...right. besides, its not only the about:blank thing, the infection causes problems to explorer.exe and a lot of other programs). I have suggested formatting to her before, but she said she didnt know what the hell to do.. Its certainly something i would do in her case, because i have neither the inclination or the time to deal with such reoccuring problems on my own system. Since its someone who pays me, and pays me well, i feel compelled to provide such live assistance, and will therefore try my best until i deem it necessary to format...which i would say has an ETA of 4 days (when i go home).

[speak.up]

... I dunno... it didn't come back anymore after I run HijackThis twice... :blink: ...

You could run 'Bazooka Adware and Spyware Scanner'... it doesn't clean the computer but identifies the spyware/adware others miss and tells how you can remove it manually...

See this link: http://www.download.com/Get-rid-of-spyware...94.html?tag=txt

Did you already look at your startup entries?

:cool: