Hope this may be of some help to those with coolwebsearch issues

[George Hester]

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[tlviewer]

I got hit by this twice before I found out that it
was a flaw in the Java VM.

http://support.microsoft.com/default.aspx?scid=kb;fr-fr;816093

If you don't run this patch you will get infected
again as long as you run IE with JAVA turned on.

regards,
tlviewer

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[George Hester]

Mine was off. It was an ActiveX download. This one in any case. The patrch may be a way to avoid it. I didn't address that. I hoped I could explain how to clean the system if aquired.

--
George Hester
__________________________________
I got hit by this twice before I found out that it
was a flaw in the Java VM.

http://support.microsoft.com/default.aspx?scid=kb;fr-fr;816093

If you don't run this patch you will get infected
again as long as you run IE with JAVA turned on.

regards,
tlviewer

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[George Hester]

Oh I forgot to mention. That is a pretty old patch. JVM was updated long ago to that here.

Microsoft (R) Command-line Loader for Java Version 5.00.3810
Copyright (C) Microsoft Corp 1996-2000. All rights reserved.

It is not sufficient to stop this worm.

--
George Hester
__________________________________
I got hit by this twice before I found out that it
was a flaw in the Java VM.

http://support.microsoft.com/default.aspx?scid=kb;fr-fr;816093

If you don't run this patch you will get infected
again as long as you run IE with JAVA turned on.

regards,
tlviewer

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[news.microsoft.com]

There is currently a thread on "microsoft.public.inetserver.iis.security"
entitled "Russian IIS hack? Malicious Javascript code".

Curiosuty got the best of me. After clicking on the php urls in that
posting earlier today, my wmplayer.exe was also replaced with a worm.

The javascript code uses ado to copy a file from within a modal dialog
window.

If I delete the c":\program files\windows media player" directory completey,
the worm keeps bringing it back along with a handful of files, including
wmplayer.exe.

It's currently confined to my laptop (at work) which is turned off and
disconnected from the network.

I'll give these steps a try in the morning, but I wanted to identify the
link between these two postings ASAP.

Mike Olund




Yesterday while surfing I noticed my modem clicking. I don't use the modem
for Internet connection I only use it for FAX service. Anyway I knew
something was wrong. In the Task Manager Windows 2000 this file was
running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB
about the size of the NETSKY virus and variants. It has an accompanying dll
called 2.01.00.dll. The name is not important here. It is a
self-registering dll so yiou can remove its information from the registry
using this command in command prompt in the folder where it resides
(%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the
Process of dale.exe in the Task Manager. But there is still a long way to
go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9
whose executable is replaced by this worm. Also the other files in the
above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these
keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with
bona fide files. This is a smart worm and the developers have gone to great
lengths to make sure you overlook something. To replensish the dllcache you
insert your Windows 2000 (in my case) CD-ROM go to the command prompt and
type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other
Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get
everything back to normal. Oh I forgot. You also have to reinstall Windows
Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break
your system. You need to get qfecheck.exe and determine with that what
Hotfixes you need to reapply. Watch out for HTML Help breaking and you
might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[George Hester]

Yes very good man. It is from a Russian site. I was going to post the IP address but I removed it (from the registry) before I sent this post. Crap. It hooks right back to the Russian site when you open your browser; or when the fake WMP fires. No you cannot just remove the WMP executable. It's a System file and so gets replaced with the one infected with the worm. CWShredder will get that part of it. But you still have to clear out that dllcache.

 

[tlviewer]

Oh I forgot to mention. That is a pretty old patch. JVM was updated long ago to that here.

Microsoft (R) Command-line Loader for Java Version 5.00.3810
Copyright (C) Microsoft Corp 1996-2000. All rights reserved.

It is not sufficient to stop this worm.

--
George Hester

George,

Can you prove that you were infected after the patch was
installed? The vast majority of coolwebsearch exploits
are via the JAVA VM hole. There is a chance that you
were infected before the patch was installed and only
now have you discovered self-perpetuating remnants
of the infection.

If you look at the property pages of the Dale.exe, etc.
you can see the date/time when they entered your system.

If its true that there are other pathways for infection
then we are all in for loads of trouble.

The last time I was hit the way you describe (below)
the offending spyware site was internet-optimizer.com

The amount of EXE, DLL, Services installed by
the trojan was overwhelming. The way I tracked them
all down was by finding the Setup distro in my
temp folder and then tracing via the modified/created
date/times of the components.

I use
Win2k sp3 w/816093 patch
IE 6

regards,
tlviewer
__________________________________
I got hit by this twice before I found out that it
was a flaw in the Java VM.

http://support.microsoft.com/default.aspx?scid=kb;fr-fr;816093

If you don't run this patch you will get infected
again as long as you run IE with JAVA turned on.

regards,
tlviewer

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[George Hester]

How do you propose I "prove it?" Would my telling you so not be sufficient? Heck if I could get you the install date you could then doubt I was infected and ask me to prove that.

But it really doesn't matter. If you doubt my veracity then so be it. Let me see I may be able to show you the the date the uninstall folder was made and the date on the files after I put them in a folder:

The Q816093.log in C:\WINNT was made on December 4, 2003 at 4:06AM. So I have it on for over 1/2 a year. I know about this patch man.

Now to prove I got the trojan. I saved all the files that got pt into C:\WINNT\system32\services. I have deleted that folder so I cannot give you the date it was created. But how about the date the 2.01.00.dll was last accessed. This is the worm the executable wmplayer.exe is just the client.

--a-- W32i DLL ENU 1.0.0.1 shp 139,264 06-24-2004 2.01.00.dll
--a-- W32i - - - - 28,672 06-23-2004 wmplayer.exe

I think that is sufficient.

--
George Hester
__________________________________

Oh I forgot to mention. That is a pretty old patch. JVM was updated long ago to that here.

Microsoft (R) Command-line Loader for Java Version 5.00.3810
Copyright (C) Microsoft Corp 1996-2000. All rights reserved.

It is not sufficient to stop this worm.

--
George Hester

George,

Can you prove that you were infected after the patch was
installed? The vast majority of coolwebsearch exploits
are via the JAVA VM hole. There is a chance that you
were infected before the patch was installed and only
now have you discovered self-perpetuating remnants
of the infection.

If you look at the property pages of the Dale.exe, etc.
you can see the date/time when they entered your system.

If its true that there are other pathways for infection
then we are all in for loads of trouble.

The last time I was hit the way you describe (below)
the offending spyware site was internet-optimizer.com

The amount of EXE, DLL, Services installed by
the trojan was overwhelming. The way I tracked them
all down was by finding the Setup distro in my
temp folder and then tracing via the modified/created
date/times of the components.

I use
Win2k sp3 w/816093 patch
IE 6

regards,
tlviewer
__________________________________
I got hit by this twice before I found out that it
was a flaw in the Java VM.

http://support.microsoft.com/default.aspx?scid=kb;fr-fr;816093

If you don't run this patch you will get infected
again as long as you run IE with JAVA turned on.

regards,
tlviewer

Yesterday while surfing I noticed my modem clicking. I don't use the modem for Internet connection I only use it for FAX service. Anyway I knew something was wrong. In the Task Manager Windows 2000 this file was running:

dale.exe

This file has no Version tab in properties and thus is suspect. It is 27KB about the size of the NETSKY virus and variants. It has an accompanying dll called 2.01.00.dll. The name is not important here. It is a self-registering dll so yiou can remove its information from the registry using this command in command prompt in the folder where it resides (%SYSTEMROOT%\system32\services)

regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>

That should be the very first step. Once that is done you can End the Process of dale.exe in the Task Manager. But there is still a long way to go before you've cleaned out this coolwebsearch hijack.

Next get Merlin's CWShredder. That will fix the Windows Media Player 9 whose executable is replaced by this worm. Also the other files in the above services folder (which you should not have there) are:

crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)

You will also find the above executable called in the Registry in these keys:

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(remove the call to the executable on right)

Also it infests win.ini. CWShredder will find that and take care of it.

Still not done.

At this point you have to make sure that your dllcache is replenished with bona fide files. This is a smart worm and the developers have gone to great lengths to make sure you overlook something. To replensish the dllcache you insert your Windows 2000 (in my case) CD-ROM go to the command prompt and type:

sfc /purgecache /scannow

The last switch is only necessary in Windows 2000 Professional.

Now you have a new dllcache and you should be able to fire up the other Spyware catchers you have:

Adaware 6
BHODemon
HijackThis

Rebooting during this process when significant changes are made should get everything back to normal. Oh I forgot. You also have to reinstall Windows Media Player 9. If you are in XP I'm not sure what to do here...

And one last caveat. If you are using Windows 2000 SP3 then sfc will break your system. You need to get qfecheck.exe and determine with that what Hotfixes you need to reapply. Watch out for HTML Help breaking and you might need to reinstall Windows Messaging if you use it.

HTM someone.

 

[Alun Jones [MSFT]]

How do you propose I "prove it?" Would my telling you so not be

sufficient? Heck if I could get you > the install date you could then doubt
I was infected and ask me to prove that.

The file modification date, as you say, doesn't go beyond what tlviewer was
suggesting, that there's a copy on your system that is going around
reinfecting you. All it shows is the date of a reinfection, if tlviewer's
theories are right.

The best proof, of course, would be to take a freshly installed system,
patch it, then visit a site that is known to carry the infection. Whether
you have the time and system to waste doing that is another concern, of
course.

Alun.
~~~~

 

[George Hester]

"that there's a copy on your system that is going around reinfecting you.." - OK. We'll just let it go at that. I suppose the 500 other viruses (Sasser; NETSKY;..) I have stored are having a hellofa time.

Oh since I'm here one other thing is make sure the Worm's New Dial-Up Connection is also removed.