CoolWebSearch False Positive?

[Roger K]

I recently updated MS AntiSpywareBeta-1 to ver1.0.614 on my
Windows XP HE +SP2 system.
The following problem now exists --
AntiSpyware says that CoolWebSeach is trying to install on
all my other four users'(limited) accounts, though not on
my admin account, every time they log on. After clicking
"Remove" I see "The browser modifier threat CoolWebSeach
has been successfully removed" and there doesn't seem to be
a problem. Doing a follow-up scan with AntiSpyware reveals
nothing. Next time they log on the same thing happens.
I've run CWShredder and can't see any trace of
CoolWebSearch. Is this a false positive on the part of
AntiSpyware?
I'd be grateful for any help or advice.
Roger

 

[Andre Da Costa]

Cool Web Search is something you don't want to have on your PC.
From Chuck:
CoolWebSearch is a constantly mutating major nuisance. The best tool to
diagnose it is HijackThis, and expert advice. HijackThis shows all possible
traces of software, anything that MIGHT be malware, and lets an expert
identify the bad stuff manually.

HijackThis http://www.tomcoyote.com/hjt/

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the HJT Log.

http://forums.spywareinfo.com/index.php?showtopic=227

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):

Aumha: http://forum.aumha.org/index.php

Net-Integration: http://forums.net-integration.net/

Spyware Info: http://forums.spywareinfo.com/

Spyware Warrior: http://spywarewarrior.com/index.php

Tom Coyote: http://forums.tomcoyote.org/
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

Thank you for your response. No I certainly don't want
CoolWebSearch on my PC. I've already tried HiJackThis and
posted the log in the aumha forum but I've had no response.
I think it must be a false alarm by MS AntiSpyware because
the CoolWebSearch report ONLY appears in the other users'
limited accounts(and it appears in all of them every time
they log on)never in my admin account. If I click on
"Allow" and "Always ignore this threat" they continue to
get the warnings every time. Having chosen "Allow", no
changes are made to Internet Explorer.

Until I find a more satisfactory way of stopping the
reports I have moved the startup registry keys from HKLM to
HKCU so that MS AntiSpyware only starts in my account - but
I realise that this is far from ideal.

Roger

 

[Alan]

Make certain there are no files with filenames contain
coolwebsearch in c:\windows\prefetch. If so, shred
them. This might be what's causing the problem.

Alan

 

[Guest]

There are no files like that in c:\windows\prefetch Alan.
Roger

 

[Alan]

Just thought I'd have you check, as some spyware/malware
place files there that are associated with certain
applications. When those apps are launched, all the code
in the prefetch folder is executed to speed up the load
time of that particular app, and this can lead to the
spyware/malware returning without warning.

Another thing that might be causing this that running
MSAS under a limited user (non-admin) account can cause
problems. This could even lead to false positives, but
it's better to be safe than sorry.

Try running a scan with Ad-Aware or Spybot. My
recommendation is to use Ad-Aware, as Spybot didn't
detect some trojans and keyloggers that had gotten onto
my system, but Giant AntiSpyware, the predecessor to
MSAS, did. You might also want to boot into Safe Mode
(press F8 before Windows screen) and run a full system
scan with both Ad-Aware and MSAS, only don't run both
scans at the same time unless you are willing to wait
about 35 minutes for both to complete. I'd run one with
Ad-Aware first, note what it finds, then run one with
MSAS, note what it finds, and then delete what MSAS finds
first. Then re-run a scan with Ad-Aware and remove what
it finds, as it has a much faster scanner. You might
even want to use CWShredder in Safe Mode and see if it
picks up anything.

Also, Andre's suggestion to use HijackThis is also highly
recommended, as MSAS might not have removed all traces of
CoolWebSearch, especially those found under any of the
limited-user accounts.

Alan

 

[Alan]

Do you have an up-to-date AV program?

If you have McAfee, you can run it, as it also detects
CoolWebSearch. I also think that Norton also detects it
as well. You can go to
http://vil.nai.com/vil/content/v_131470.htm and see
McAfee's page, and
http://securityresponse.symantec.com/avcenter/venc/auto/in
dex/indexA.html to see the variants of CoolWebSearch from
NSymantec, which produces Norton.

Also, check your AV/anitspyware program's/prgrams'
quarentine files and see if CoolWebSearch has infact been
quarentined by any other program. If so, this could be
the problem. Another thing to check is when you get the
warning message again, note the location it's coming from
if it's displayed. This could help identify if it's a
conflict between two antispyware (AS) applications, or
even an AV application and MSAS. If you are running
Spybot with it's immunize and Resident-IE feature or
another AS applications similar feature along with MSAS's
Real-time Protection, disable every one's feature except
for MSAS and see if that corrects the problem.

Alan

 

[Roger K]

Yes Alan I have an up-to-date Norton antivirus and there's
nothing in the quarantine folder - or any other quarantine
folders.
The MS AntiSpyware warning message didn't state the
location where it was coming from.
I run regular scans with Ad-Aware and Spybot, and neither
have reported CWS. I've also run them in Safe Mode, as I
have for CW Shredder. Nothing else report CWS -- only MSAS,
and only in the other user's limited accounts. There's no
sign of CWS actually hijacking IE so as I said previously
I've now prevented it from running except in my admin
account. All seems to be well, but I'm still keen to find
out what's causing this apparent false positive.
Roger

 

[Alan]

Probably a glitch. This might be an issue with MSAS and
it not currently supporting limited-user accounts.

Suggest submitting a report to MS using Tools > Suspected
Spyware Report, and state that it was found only when
running under a limited-user account.

Alan