A new variant of the CoolWebSearch virus?

  • Thread starter Thread starter Michael
  • Start date Start date
M

Michael

My PC has been infected with the CoolWebSearch virus but I haven't
been able to remove it based on the methods posted in this newsgroup.
Could this be a new variant? This is what I have done.

I've applied all the Windows security patches to my XP system. My
understanding is that this will prevent future infection with another
instance of the virus. But this will not deactivate the virus that is
already in my computer.

Norton Anti-Virus. I scanned my computer a few times and in two
occasions it detected a virus. The first time it found it in a file
d.exe in c:\windows\system32. The second time it found it in
A0134323.exe in c:\System Volume Information\_restore{B37.... Norton
removed the virus in both cases but it came back. Now the scan tells
me it's free of virus but I know it is still in my system.

CWShredder. I have downloaded this program and run it. The first
time I ran it the program indicated it removed the virus from
CWS.Msconfd. Then I ran it again severaly seconds later and it
indicated it removed the virus from CWS.MSconfd again. It appears
that it did not do a clean removal of the virus because each
invocation of the program would remove the virus again from
CWS.Msconfd. In any case, the virus is still in my computer.

Adware. I have downloaded this program and performed multiple scans
of my computer. The first scan shows the following:

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
obj[5]=RegData : Software\Microsoft\Internet Explorer\Search

I deleted the found objects, rebooted my system and rescanned. This
time the scan came out clean but the virus came back.

HiJackThis. I downloaded this program and the first scan showed the
following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://qwertysearch123.biz/?id=1017
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://qwertysearch123.biz/?id=1017

Then I deleted these entries and I ran HiJackThis again within a few
seconds. However, the same four entires showed up again during the
scan.

It appears that none of the tools can remove the virus completely.
Any suggestions? I have also sent a note to the author of the
CWShredder program informing him that his program does not remove the
virus from my computer.
 
Maybe?http://forums.spywareinfo.com/index.php?s=d91ba7486c9c5867908e1fe667a08c02&act=idx

----- Michael wrote: -----

My PC has been infected with the CoolWebSearch virus but I haven't
been able to remove it based on the methods posted in this newsgroup.
Could this be a new variant? This is what I have done.

I've applied all the Windows security patches to my XP system. My
understanding is that this will prevent future infection with another
instance of the virus. But this will not deactivate the virus that is
already in my computer.

Norton Anti-Virus. I scanned my computer a few times and in two
occasions it detected a virus. The first time it found it in a file
d.exe in c:\windows\system32. The second time it found it in
A0134323.exe in c:\System Volume Information\_restore{B37.... Norton
removed the virus in both cases but it came back. Now the scan tells
me it's free of virus but I know it is still in my system.

CWShredder. I have downloaded this program and run it. The first
time I ran it the program indicated it removed the virus from
CWS.Msconfd. Then I ran it again severaly seconds later and it
indicated it removed the virus from CWS.MSconfd again. It appears
that it did not do a clean removal of the virus because each
invocation of the program would remove the virus again from
CWS.Msconfd. In any case, the virus is still in my computer.

Adware. I have downloaded this program and performed multiple scans
of my computer. The first scan shows the following:

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
obj[5]=RegData : Software\Microsoft\Internet Explorer\Search

I deleted the found objects, rebooted my system and rescanned. This
time the scan came out clean but the virus came back.

HiJackThis. I downloaded this program and the first scan showed the
following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://qwertysearch123.biz/?id=1017
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://qwertysearch123.biz/?id=1017

Then I deleted these entries and I ran HiJackThis again within a few
seconds. However, the same four entires showed up again during the
scan.

It appears that none of the tools can remove the virus completely.
Any suggestions? I have also sent a note to the author of the
CWShredder program informing him that his program does not remove the
virus from my computer.
 
Hi Michael - Well, you kinda need to know what the parasite(s) is/are before
you can do much about fixing them except to apply some general tools like
AdAware and/or SpyBot S&D (see below). If they don't fix it then start
here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's updated
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
Michael said:
My PC has been infected with the CoolWebSearch virus but I haven't
been able to remove it based on the methods posted in this newsgroup.
Could this be a new variant? This is what I have done.

I've applied all the Windows security patches to my XP system. My
understanding is that this will prevent future infection with another
instance of the virus. But this will not deactivate the virus that is
already in my computer.

Norton Anti-Virus. I scanned my computer a few times and in two
occasions it detected a virus. The first time it found it in a file
d.exe in c:\windows\system32. The second time it found it in
A0134323.exe in c:\System Volume Information\_restore{B37.... Norton
removed the virus in both cases but it came back. Now the scan tells
me it's free of virus but I know it is still in my system.

CWShredder. I have downloaded this program and run it. The first
time I ran it the program indicated it removed the virus from
CWS.Msconfd. Then I ran it again severaly seconds later and it
indicated it removed the virus from CWS.MSconfd again. It appears
that it did not do a clean removal of the virus because each
invocation of the program would remove the virus again from
CWS.Msconfd. In any case, the virus is still in my computer.

Adware. I have downloaded this program and performed multiple scans
of my computer. The first scan shows the following:

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
obj[5]=RegData : Software\Microsoft\Internet Explorer\Search

I deleted the found objects, rebooted my system and rescanned. This
time the scan came out clean but the virus came back.

HiJackThis. I downloaded this program and the first scan showed the
following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://qwertysearch123.biz/?id=1017
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://qwertysearch123.biz/?id=1017

Then I deleted these entries and I ran HiJackThis again within a few
seconds. However, the same four entires showed up again during the
scan.

It appears that none of the tools can remove the virus completely.
Any suggestions? I have also sent a note to the author of the
CWShredder program informing him that his program does not remove the
virus from my computer.
Click to expand...
 
disable system restore, then delete the problem file if
you can, reboot. hope it will be gone. if not try this
place darnit .
-----Original Message-----
My PC has been infected with the CoolWebSearch virus but I haven't
been able to remove it based on the methods posted in this newsgroup.
Could this be a new variant? This is what I have done.

I've applied all the Windows security patches to my XP system. My
understanding is that this will prevent future infection with another
instance of the virus. But this will not deactivate the virus that is
already in my computer.

Norton Anti-Virus. I scanned my computer a few times and in two
occasions it detected a virus. The first time it found it in a file
d.exe in c:\windows\system32. The second time it found it in
A0134323.exe in c:\System Volume Information\_restore {B37.... Norton
removed the virus in both cases but it came back. Now the scan tells
me it's free of virus but I know it is still in my system.

CWShredder. I have downloaded this program and run it. The first
time I ran it the program indicated it removed the virus from
CWS.Msconfd. Then I ran it again severaly seconds later and it
indicated it removed the virus from CWS.MSconfd again. It appears
that it did not do a clean removal of the virus because each
invocation of the program would remove the virus again from
CWS.Msconfd. In any case, the virus is still in my computer.

Adware. I have downloaded this program and performed multiple scans
of my computer. The first scan shows the following:

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
obj[5]=RegData : Software\Microsoft\Internet Explorer\Search

I deleted the found objects, rebooted my system and rescanned. This
time the scan came out clean but the virus came back.

HiJackThis. I downloaded this program and the first scan showed the
following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://qwertysearch123.biz/?id=1017
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://qwertysearch123.biz/?id=1017

Then I deleted these entries and I ran HiJackThis again within a few
seconds. However, the same four entires showed up again during the
scan.

It appears that none of the tools can remove the virus completely.
Any suggestions? I have also sent a note to the author of the
CWShredder program informing him that his program does not remove the
virus from my computer.
.
Click to expand...
 
This parasite is changing by the minute.
Look here and see if you can find some instructions to disable or remove it
completely.
http://www.merijn.org/cwschronicles.html#msconfd


I know you have this tool, but get the latest help from the forum.

Go to http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.merijn.org/files/hijackthis.zip

If you get a 404 error or Access denied, try:
http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location:
http://www.spywareinfo.com/forums/

Sign in, then copy and paste both files in your message.

HijackThis Quick Start Help
http://www.tomcoyote.org/hjt/

The Tutorial if you want to know more about the results or the .log file.
http://www.merijn.org/htlogtutorial.html




Michael said:
My PC has been infected with the CoolWebSearch virus but I haven't
been able to remove it based on the methods posted in this newsgroup.
Could this be a new variant? This is what I have done.

I've applied all the Windows security patches to my XP system. My
understanding is that this will prevent future infection with another
instance of the virus. But this will not deactivate the virus that is
already in my computer.

Norton Anti-Virus. I scanned my computer a few times and in two
occasions it detected a virus. The first time it found it in a file
d.exe in c:\windows\system32. The second time it found it in
A0134323.exe in c:\System Volume Information\_restore{B37.... Norton
removed the virus in both cases but it came back. Now the scan tells
me it's free of virus but I know it is still in my system.

CWShredder. I have downloaded this program and run it. The first
time I ran it the program indicated it removed the virus from
CWS.Msconfd. Then I ran it again severaly seconds later and it
indicated it removed the virus from CWS.MSconfd again. It appears
that it did not do a clean removal of the virus because each
invocation of the program would remove the virus again from
CWS.Msconfd. In any case, the virus is still in my computer.

Adware. I have downloaded this program and performed multiple scans
of my computer. The first scan shows the following:

POSSIBLE BROWSER HIJACK ATTEMPT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
obj[5]=RegData : Software\Microsoft\Internet Explorer\Search

I deleted the found objects, rebooted my system and rescanned. This
time the scan came out clean but the virus came back.

HiJackThis. I downloaded this program and the first scan showed the
following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qwertysearch123.biz/?id=1017
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://qwertysearch123.biz/?id=1017
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://qwertysearch123.biz/?id=1017

Then I deleted these entries and I ran HiJackThis again within a few
seconds. However, the same four entires showed up again during the
scan.

It appears that none of the tools can remove the virus completely.
Any suggestions? I have also sent a note to the author of the
CWShredder program informing him that his program does not remove the
virus from my computer.
Click to expand...
 
Following your advice, I have been posting at the spywareinfo forum.
I have posted a couple of HiJackThis log files for review, and
hopefully someone could figure out how to remove the virus.

Scanning the spywareinfo forum, I noticed several people are
experiencing the same problem. They've used tools such as CWShredder,
HiJackThis, Adware and Spybot but to no avail. Looks like this is a
new variant of the CoolWebSearch virus.
 
For the benefits of others, please keep us posted as to what was the
solution.

Thanks.
 
It appears the virus has been removed from my computer. It hasn't
been surfaced for more than one day. Basically there is an infected
file, avpcc.dll, in my computer. The virus changes the Windows
registry to point to this file. I have to remove avpcc.dll and update
the registry. For a complete discussion of this problem, please visit
the spywareinfo forum and look for a thread titled "can't remove the
CoolWebSearch virus". Here is a link for it:

http://forums.spywareinfo.com/index.php?showtopic=23564&hl=remove+coolwebsearch
 
Back
Top