Coolwebsearch

[Gazza]

Not been able to search the newsgroup, but the problem I
have is that on 2 of the accounts on my PC comes upwith a
warning the CWS is trying to hook into my browser.
Followed the standard instructions of having MSAS remove
this. Also ran in safe mode (twice) on both accounts and
as administrator. Also ran CWS Shredder, Webroot Spy
Sweeper, Ad Aware and Spybot but none of these found it.
Also tried a manual removal but couldn't find any
relevant registry entries.

Is this a fault with MSAS?

 

[Leon Zandman]

Not been able to search the newsgroup, but the problem I

have is that on 2 of the accounts on my PC comes upwith
a warning the CWS is trying to hook into my browser.

I get this warning too. I have Windows XP Home installed
with two users (me and my wife). When my wife logs in she
always gets that Coolwebsearch warning. I also click the
remove button, but the next time it still shows up.

I performed a scan with CWShredder, the premier tool for
detecting and removing CoolWebsearch, but it didn't find
anything. So I think MS Antispyware finds a false
positive. Unfortunately you cannot get very detailed
information about the error. I would like an option where
I can see exactly what (file) caused the warning etc.

Greetz,

Leon Zandman

 

[Guest]

Glad I'm not the only one. What about removing MSAS and
reinstallingit. I'm pretty certain (though not 100%) that
CWS is not present on my PC.

 

[plun]

Glad I'm not the only one. What about removing MSAS and
reinstallingit. I'm pretty certain (though not 100%) that
CWS is not present on my PC.

Hi


- First of all send a suspected spywarereport to MS about
this, menu tools within MSAS.

I think this can be a new CWS variant.

One way to be sure is to examine all running processes with
for example HijackThis. But you have done that perhaps ?

http://www.merijn.org/files/hijackthis.zip

This can be a help to analyze HijackThis logs, don´t remove
anything
until you are sure.

http://hijackthis.de

Also with MSAS-Advanced tools-System explorers this can be done.

- Running processes and Startup programs.

 

[Sean Moreau]

I also have that same problem. Every time I, or the 3
other accounts, log in it says that CoolWebSearch is
trying to hijack my computer. I remove it every time, but
it keeps on comming back. I looked at spyware information
sites, and they state that it is a very dangerous
hijacker (9/10 on their scale). I dont want to ignore the
threat, but I dont want it hijacking my browser either.
How does it come abck every time? How do I stop it?

 

[Cosmo_Topper]

I went through a 'Coolwebsearch' period. It was one of th
most annoying and frustrating periods of my computer life.

I never really knew exactly what I did to get rid of it,
but I know I used.

Ad-Aware:
http://www.lavasoft.us/

Spy-Bot Search and Destroy:
http://www.spybot.info/en/index.html

Hijack This:
http://www.merijn.org/index.html
IF YOUR BROWSER IS BEING REDIRECTED YOU MUST USE:
http://209.133.47.12/~merijn/index.html

It was so peculiar because these programs SWORE that they
had eradicated the coolwebsearc and they DID but when I
rebooted, it would show back up. I remember doing a search
for words from the 'coolwebsearch' faux page that popped
up 'within' files and found some txt and log files with
the html for the page. I deleted them a few times and
finally was rid of it. The files would appear in different
places, had recent creation dates, and had names similar
to xxyzzyxx.log or .txt or something like that.

Additionally, turn off Windows Networking (but leave the
TCP-IP) protocalls unless you really need the networking
(a stand alone computer on the internet dosen't need
networking).

Finally: Avail yourself the free scans and tools from
Steve Gibson's web site:

http://www.grc.com

http://www.grc.com/dcom/
http://www.grc.com/stm/shootthemessenger.htm
http://www.grc.com/unpnp/unpnp.htm
http://www.grc.com/xpdite/xpdite.htm
http://www.grc.com/dos/drdos.htm
http://www.grc.com/id/idserve.htm

NOTE: about turning off UPNP - When installing some
devices (like my Linksys Wireless Router) I had to
temporarily turn UPNP back on. Once I had finished
installing, I turned it back off.

 

[plun]

I went through a 'Coolwebsearch' period. It was one of th
most annoying and frustrating periods of my computer life.
Hijack This:
http://www.merijn.org/index.html

Well, Merijn recommend these forums for help. All of them
wellknown and filled with experts. Just to register and follow
what is needed to post a Hijackthis log.

http://www.merijn.org/forums.html

 

[Andre Da Costa]

Here are some removal instructions from Chuck:
CoolWebSearch is a constantly mutating major nuisance. The best tool to
diagnose it is HijackThis, and expert advice. HijackThis shows all possible
traces of software, anything that MIGHT be malware, and lets an expert
identify the bad stuff manually.

HijackThis http://www.tomcoyote.com/hjt/

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the HJT Log.

http://forums.spywareinfo.com/index.php?showtopic=227

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):

Aumha: http://forum.aumha.org/index.php

Net-Integration: http://forums.net-integration.net/

Spyware Info: http://forums.spywareinfo.com/

Spyware Warrior: http://spywarewarrior.com/index.php

Tom Coyote: http://forums.tomcoyote.org/

 

[Bill Sanderson]

You could be right, but I'm leaning towards the false positive camp, myself.
Will stay tuned, and watch this one because I've seen it on a couple of
machines myself, including my own this morning.

 

[ccrashh]

I have EXACTLY the same problem with YourSiteBar. I started a thread a
couple of weeks ago about this. I am 100% sure it is a false positive.
Easy way to check is to say "Allow" when MSAS puts up its warning. I am
pretty sure that once you "Allow" it, and then you check, you won't have it
there at all.

I tried uninstalling MSAS, and reinstalling it, but that didn't help. I may
have to try it again and clean out any residual Registry entries to get MSAS
totally uninstalled. Don't know.

This is a fairly serious issue, certainly if it is only a false-positive,
since many might do what I did and just flag this "threat" as "Always
Ignore".

 

[ccrashh]

Interesting. I re-installed Spybot and it discovered two IST registry
entries. Unfortunately, SD doesn't make a log file, and I purged the
recovery files. However, the false-positive doesn't seem to appear anymore
(for YourSiteBar).

Will keep the forum posted.

 

[ccrashh]

Nope. Still there. Maybe time to uninstall, clean out the registry, and
then wait for beta 2.

 

[Gazza]

Not much use to you guys I know but yesterday uninstalled
MSAS. Then reinstalled and updated to latest definitions.
Went into account and the warning came up again.

Then went into safe mode. Ran MSAS twice found nothing.
Ran CWS and SpyBot - nothing. Ran AdAware - 11 minor
problems.

Went back into XP and into the account - nothing. No
warnings at all. So for now it has disappeared but a few
more checks tonight will convince me.

 

[Gazza]

What annoys me though (and perhaps is one for MS to
consider) is that when you get the warning you only have 2
possible choices - to ALLOW or to REMOVE.

You can't allow, so you have to remove it. We all know
that this is only a temporary removal as it will be back
next time you fire her up. And of course a temporary
removal also prevents users running any other program to
give it a good bashing so therefore defeats the object of
the whole exercise.

Can MS give us a third option to TEMPORARILY IGNORE the
threat to enable us to run a number of siginificant tests
to eradicate it for sure.

 

[Bill Sanderson]

What annoys me though (and perhaps is one for MS to
consider) is that when you get the warning you only have 2
possible choices - to ALLOW or to REMOVE.

You can't allow, so you have to remove it. We all know
that this is only a temporary removal as it will be back
next time you fire her up. And of course a temporary
removal also prevents users running any other program to
give it a good bashing so therefore defeats the object of
the whole exercise.

Can MS give us a third option to TEMPORARILY IGNORE the
threat to enable us to run a number of siginificant tests
to eradicate it for sure.

OK - you've got a trojan attempting to install on your machine. If you
allow it to install, you've given away your machine to the hacker--he can do
anything he wants--the machine isn't yours anymore.

What happens if you choose "temporarily ignore?"

 

[Gazza]

I certainly don't want it to take control, but I want it
dealt with.

Clearly others have the same problem.

What I would like to see is MSAS identify the issue,
allow users to disable the hazard but leave it on the PC
so that I can then run alternative procedures to track it
down and crush it.

-----Original Message-----

 

[Steve Dodson [MSFT]]

What was the false positive file which AS is hitting on? If it is not a
false positive, what is the behavior?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill Sanderson]

I hear you. I'm not sure what alternatives are really available
here--whether there's a way to quarantine something like this given what is
running and generating the alert.

This is the place to raise these issues, and Microsoft does read them.

 

[ccrashh]

For me, it is YourSiteBar. When the warning comes up, I just say "Allow".
Of course, nothing gets installed at all.

HijackThis shows nothing. A system scan with MSAS (in safe mode) shows
nothing. A scan with Spybot shows nothing.

What was the false positive file which AS is hitting on? If it is not a
false positive, what is the behavior?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Not much use to you guys I know but yesterday uninstalled
MSAS. Then reinstalled and updated to latest definitions.
Went into account and the warning came up again.

Then went into safe mode. Ran MSAS twice found nothing.
Ran CWS and SpyBot - nothing. Ran AdAware - 11 minor
problems.

Went back into XP and into the account - nothing. No
warnings at all. So for now it has disappeared but a few
more checks tonight will convince me.

 

[ccrashh]

That's what I would want. Even if they put in the log what is prompting the
alert would be fine. There is NOTHING on my machine. No hijacking is
taking place. I am computer-savy enough to know that. This is definitely a
false-positive.