XXXToolbar and Coolwwwsearch re-appear in Registry

Hi,

This is my first post to this forum. I found it useful after I had a problem with a coolwwwsearch trojan a week ago.

With the help of "Hijackthis" and the Merjin.org site to decode the log, I discovered that I had an "O2 Browser Help Object" that was loading a DLL (see below) & causing my browser to be hijacked... (partial log below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL <<<-----"Cool Web Trojan Entry"
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX


I removed it with "Hijackthis" and I appeared to have cured the problem. I removed any entries from the registry under the key HKEY_CURRENT_USER such as:
Software\Microsoft\Windows\CurrentVersion\InternetSettingsAoneMap\Domains\coolwwwsearch.com

& a similar one for xxxtoolbar.

Suffice to say, I've not had the DLL which seemed to cause most of the probs lems, reload itself but I continue to get these HKEY_CURRENT_USER and HKEY_USERS entries in my registry for xxxtoolbar & coolwwwsearch.

My question is why & are they a problem?

I'm using Spyware Blaster v1.3 plus the Firefox browser after I read that getting rid of IE is a good idea. I have SpyBot loaded also & have run that in Safe Mode to see if it detects any virus that is present or reloading the coolwwwsearch & xxxtoolbar entries. Nothing comes up.

Does anyone have anymore clues as to
a) if these entries are a problem...?? and
b) if so, how to prevent their re-occurance...??


Ta
Steve

 

Spybot Search & Destroy is what is adding XXXToolbar and Coolwwwsearch to your registry. I had the same problem myself. The reason I know it is Spybot Search & Destroy causing it is because I had just scanned my computer with XoftSpy and removed all the spyware, then rescanned and it was clean, then immediately after that I installed Spybot Search & Destroy and clicked on the button in Spybot to "Immunize" my system then I rescanned with XoftSpy and XXXToolbar and Coolwwwsearch were back in my registry again.
I removed them again, then I tested it again and what I noticed is it only happens if you click the "Immunize" button in Spybot, otherwise the entries do not appear. And Spybot does not catch these 2 entries, because Spybot is whats causing them. Just don't click the "Immunize" button and the entries won't appear.

 

PeeWee - you're right, Spybot probably is adding those entries - as it should be! It is (and I believe SpywareBlaster also) adding those sites to your IE "restricted zone" so that you are protected from going to those nasties if your settings for "restricted" are correct. After you immunize with Spybot, it appears you scan with another piece of software that is incorrectly seeing these entries as a problem (false possitive) - it is just seeing the name and not seeing the location (restricted zone). Then you have deleted the protection that Spybot just set for you. You are defeating the purpose of using Spybot/SB by allowing another utility to undo the good work done by Spybot/SB etc. There are a few programs out there that are coming up with this false positive and several threads about it. Do yourself a favour and immunize with Spybot, enable all SB protection. Then, when another utility finds a problem make sure it isn't a false positive b-4 you "fix" it. Hope this helps shed some light.