www.coolwebsearch.com

[Thomas O'Malley]

Hello,

My computer is infected with a trojan virus called norio. It started by a hacking file called coolwebsearch, or at least that's what I've found out by running Adaware and Spybot.

Apparantly Norton Antivirus 2005, nor Panda Antivirus are able to do anything about this Trojan. Can anyone help me out? I've been searching the net for a sollution for the last 4 days now (what a way to spend the New Year eh...). Not to say I'm desperate.

Many thanks in advance

Brgds

Thomas O'Malley

[asmit]

Are you sure Norton can't do anything about it? Have you booted into Safe Mode before attempting to clean it?

http://securityresponse.symantec.com/avcen...ojan.norio.html

Follow these steps!

[Thomas O'Malley]

Are you sure Norton can't do anything about it?  Have you booted into Safe Mode before attempting to clean it?

http://securityresponse.symantec.com/avcen...ojan.norio.html

Follow these steps!

585223873[/snapback]

I saw that page, but no... It didn't work... :no:

[Farstrider]

CoolWebSearch is one of the worst Spyware infections. The latest variants use a Hidden DLL that is installed by taking over the file system's data stream and stealthing the DLL file. Some AntiVirus programs will detect and clean it from memory but as soon as your system is rebooted and another Internet connection made, it will reinstall itself. CWShredder 2.x removes this variant.

Here is the prog to clean it CWShredder

This will fix it :D

[Farstrider]

Sorry, here are the instructions, pretty easy! :cool:

Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.

[asmit]

CoolWebSearch is one of the worst Spyware infections.

585223898[/snapback]

Wow, you were right!

http://www.adwarereport.com/mt/archives/000051.html

[Thomas O'Malley]

Sorry, here are the instructions, pretty easy! :cool:

Instructions - Download, close all web browsers and run, select "I AGREE", "Fix" and "OK". After it is finished select "Next" to see if you were infected. Run CWShredder again to confirm all variants of CoolWebSearch have been removed.

585223912[/snapback]

Hi Toejam,

Maybe it's me, maybe something changed over the last days but, following these instructions it does not work.

I can download and make the scan run (it finds 46 infected files). At that time I need to register and pay for the complete version.

[Farstrider]

This is freeware you do not have to pay for it, just run the thing!

In fact all you must do is run fix and take it from there!

[Thomas O'Malley]

This is freeware you do not have to pay for it, just run the thing!

In fact all you must do is run fix and take it from there!

585223990[/snapback]

I can run the thing, I just can not erase all the infected files. :blush:

[Farstrider]

Did you download the file from the link that I gave you? You end up on majorgeeks website and there it quite clearly says that it is freeware, sorry if this is not the case. I ran the thing and did not run into any registration requests, so I am not really sure what it is asking you! :blink:

[Thomas O'Malley]

Did you download the file from the link that I gave you? You end up on majorgeeks website and there it quite clearly says that it is freeware, sorry if this is not the case. I ran the thing and did not run into any registration requests, so I am not really sure what it is asking you! :blink:

585224068[/snapback]

Indeed I did download it from the site you gave me.

And indeed you do end up here: http://www.majorgeeks.com/download3019.html

If you decide to download you are transferred to this site http://www.pctools.com/spyware-doctor/?ref...al_mg_sd_336_rd . All of a sudden they don't mention Freeware anymore. If you finally perform the scan, they ask you to register.

So far, no sollution found, I may add ;)

[Farstrider]

Sorry to hear that bud, I will see what I can do!

Just checked the link you said you tried, you are downloading the wrong thing, you must download CWShredder 2.12 click on one of the American sites!

Edited January 3, 2005 by toejam

[digen]

Here try this link.From the MVP's freebie section.

[Farstrider]

I can see what you did, you must wait for the download to start, you did not give it a chance to start, and then you clicked on download Spyware Doctor, no wonder you ended up with the wrong thing! As they say in the classics read the instruction and ye shall be rewarded!!! :whistle: :whistle:

[Thomas O'Malley]

Thanks guys,

CWShredder scanned and worked. At least that problem is solved. There was no infected file from www.coolwebsearch found.

So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com... :wacko:

[k0pect8]

Try Spywareblaster and Spybot - both free.

[digen]

Spywareblaster isnt a spyware scanner as such.It integrates with your browser & just prevents activex components from downloading via IE.Doesnt help much when you are already infected.

[sizduman]

you might have C2lop

[LastSamurai]

Thanks guys,

CWShredder scanned and worked.  At least that problem is solved.  There was no infected file from www.coolwebsearch found. 

So the next question I have is how it can be possible that CWShredder doesn't find anything while my Homepage on my browser always resets itself on about:blanc (while it was www.google.com) and how it is possible that Adaware finds 19 infected files from www.coolwebsearch.com...  :wacko:

585224557[/snapback]

google a removal tool called "about:buster", or post a Hijackthis Log, CWShredder can't clean all CWS variants.

[Hawkeye]

google a removal tool called "about:buster", or post a Hijackthis Log, CWShredder can't clean all CWS variants.

585227775[/snapback]

This is correct. CWShredder can handle most primitive forms of CWS, but there are one or two that are just totally nefarious and cannot be removed by CWShredder. I actually had one of the types that cannot be removed from it on my computer, and at that time, the variant was still fairly new, and boy, I thought I would have to take a jackhammer to my computer before I finally got rid of it.

Post a HijackThis log here (you can attach it if you like). We will tell you where to go from there. HijackThis will catch some deviant DLL files that are associated with CWS.

[Thomas O'Malley]

This is correct. CWShredder can handle most primitive forms of CWS, but there are one or two that are just totally nefarious and cannot be removed by CWShredder. I actually had one of the types that cannot be removed from it on my computer, and at that time, the variant was still fairly new, and boy, I thought I would have to take a jackhammer to my computer before I finally got rid of it.

Post a HijackThis log here (you can attach it if you like). We will tell you where to go from there. HijackThis will catch some deviant DLL files that are associated with CWS.

585227850[/snapback]

This is all like chinese to me, but I haven't got anything to loose, do I?

Anyway, I think this is what I think you asked me to do:

Logfile of HijackThis v1.99.0

Scan saved at 17:12:54, on 4/01/2005

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINNT\System32\TCAUDIAG.exe

C:\WINNT\loadqm.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\program files\quicktime\qttask.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINNT\System32\RUNDLL32.EXE

C:\WINNT\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe

C:\WINNT\System32\msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\apilv.exe

C:\WINNT\system32\mfchk32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\WINZIP\winzip32.exe

C:\WINNT\explorer.exe

C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\honmj.dll/sp.html#52409

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {ECC139F7-6982-B594-DBFC-75FF0AA44A72} - C:\WINNT\crob32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [mfchk32.exe] C:\WINNT\system32\mfchk32.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\RunOnce: [MNSIndex] C:\Program Files\ToDelete\MNSIndex.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [ultimate Popup Blocker] C:\Program Files\ToDelete\Ultimate Pop-up Blocker.exe

O4 - HKCU\..\Run: [ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe

O4 - HKCU\..\Run: [Each Ref] C:\DOCUME~1\Patje\APPLIC~1\FORVGA~1\enc stop.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\RunOnce: [MNShist] C:\Program Files\ToDelete\MNSHist.exe MNSErase

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be

O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Sha...t//DexiaIIA.cab

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/091a39087ff674...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...llInstaller.exe

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\system32\apilv.exe

If you do find a sollution to my problem, please try to explain it in a language understandable for simple human beings as myself, will yah?

[Farstrider]

Just a quick question, what version of CWShredder did you download and use?

This from the people who now own and make CWShredder:

CWShredder? Version 2.1 is the latest defense against the new Cool Web Search variants.

CWShredder? Version 2.1

Released: December 2004

Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.

CWShredder 2.12

Hope this helps.

Here is a link from the homepage CWShredder

[Thomas O'Malley]

Just a quick question, what version of CWShredder did you download and use?

This from the people who now own and make CWShredder:

CWShredder? Version 2.1 is the latest defense against the new Cool Web Search variants.

CWShredder? Version 2.1

Released: December 2004

Here is the link, once you click on the correct link, WAIT FOR THE DOWNLOAD TO START, do NOT click on anything else, the download takes a few moments to start.

CWShredder 2.12

Hope this helps.

Here is a link from the homepage CWShredder

585230296[/snapback]

That's the one I downloaded and tries toejam.

But there is a positive progress, meaning: I tried Spy Sweeper and that seems to work... At least, my home page is reset to http://www.google.com .

But I did not reboot so far, so let's just hope for the best. CWS isn't removed, Adaware still finds files from that stupid www.coolwebsearch.org thing.

The Norio Trojan is definitly removed, that's for sure. So the only problem remaining is CW:crazy:azy:

[Farstrider]

This is really irritating I can just see how mad you must be. I am really going to see if I can help, come hell or high water we must get rid of this thing. I tell you these people who make **** like this should be hung drawn and quartered, jeez they **** me off!! :crazy:

[Thomas O'Malley]

This is really irritating I can just see how mad you must be. I am really going to see if I can help, come hell or high water we must get rid of this thing. I tell you these people who make **** like this should be hung drawn and quartered, jeez they **** me off!! :crazy:

585230561[/snapback]

Even Spy Sweeper can't get rid of it... :(

It keeps on finding 2 'things', saying AdAware found: CWS_NS3 (CWS_NS3 has the ability to hijack your Web searches, home page, and Internet Explorer settings.) I can delete them through Spy Sweeper, but if I run it again, these two items are there again...

I blocked my homepage now on the default homepage, as Spy Sweeper recommended when you have a good idea you were hyjacked, which is: http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome So there goed my http://www.google.com as my used to be homepage...

Anyway, when this scan is finished I'm going to reboot the system once more to see if that changes anything. :cry: