CoolWebSearch - failed to remove on limited account

[Guest]

This is a strange problem in that the problem doesnt seem to occur on the
admin account, but is seen on a limited account.
I have recently installed microsoft AntiSpyWare beta release on my XP
machine. I have an admin account and a limited account. I dont have any
problems on the admin account, however I have noticed that when running a
spyware scan upon the limited account it has detected that the limited
account user's serach tool bar uri switching from google to wanadoo to which
I say "allow". At this point a alert occurs indicating "CoolWebSearch"
attempting to be installed and gives me the option to remove it. I indicate
that I wish to remove "CoolWebSearch" and seems to have removed it. However
when I logout from the limit account and then back in again I find exactly
the same problem occurs again. Is there going to be a fix for this problem or
do I need to run some different software to get rid of this problem?

 

[Bill Sanderson]

I'm not sure whether you have a real problem, or a combination of false
positive/bug.

This is what I'd do to try to resolve the question:

1) log in as administrator and change (control panel, user accounts) the
limited user to an administrator.

2) log in as the (previously) limited user and see what happens--run a full
deep scan and cleaning run if need be.

3) Once you are satisfied that the machine appears to be clean, change the
(previously) limited user back to a limited user again.

Now lets see what messages you get as you log in as that limited user?

There are bugs in beta1 with regards to limited users--you may well still
get a message of some sort each time that user logs in--but I don't believe
it should reference CoolWebSearch--but perhaps some combination of factors
on your machine causes that.

 

[Guest]

Many thanks for your help it seems to have done the trick. I think you are
right
there does seem to be a problem with the MS antispyware beta version regards
use within a limited account. I resolved the problem as you suggested as
follows:
a) From PC bootup - login as admin and changed the existing limited account to
an admin account (admin2)
b) switched user (1st admin still logged in) to what is now admin2 account
and got the MS antispyware alert "An internet Explorer search bar URL change
requires your approval" attempting to change http:/www.google.com/ie to
http:/www.wanadoo.co.uk/iesearch/default/htm.
c) clicked "allow". This time I got no mention of "CoolWebSearch".
d) Did a MS Antispyware scan anyway and no problems detected.
e) Reverted admin2 account back to limited account via admin1 account.
f) After that tried out various combinations of login of admin and limited
account and the problem seems to have been resolved.
Many thanks,
Bill

 

[Bill Sanderson]

Great! The announcement yesterday of the new name--Windows Defender, along
with the welcome news that the new version will run as a service, and get
definition updates via AutoUpdate or WSUS (in a corporate setting) I hope
means that some of these foibles won't be with us much longer.
--

 

[Guest]

I have this problem as well, but the warning CoolWebSearch is trying to
install only pops up when I log in as THE ADMINISTRATOR. I delete it and
next time I login as TA, same problem. I run CWShredder at every login and
it finds nothing. I had CWS qttasks which I finally got rid of via copious
regedits. Does anyone know what file/files/keys spawn the CWS that MSAS says
it finds? MS support has been less than helpful ... :/