Coolwebsearch Keeps Passing My Defense...

There are two coolwebsearch files that keep passing my defense of KAV Pro 5.0.390, RegDefend 2.001, ProcessGuard 3.150, RegRun Gold 4.10, and WinPatrol Plus 9.7.4.0. I have no idea why it keeps happening once in a while, then I get an alert that the host file got changed after I run CWShredder and removes the registry entries. I find out the coolwebsearch reg entries are instaled by running xoftspy every afternoon, then remove the entries with xoftspy or CWShredder. The host file is set to read only though. Any idea what is going on?

dja2k

 

I believe that coolwebsearch is installed through MS Java Virtual Machine and Internet Explorer.
Here is a tool to remove it.
http://www.majorgeeks.com/download.php?det=4158

CAUTION! This is not reversible. Once done, it is done.
You can then download Sun Java to have Java on your machine. The last 2 computers I purchased both had Sun Java installed by default rather than MS Java Virtual Machine. I have not had coolwebsearch on my machine since.

 

Thats the thing, I don't use IE nor do I use microsoft's virtual machine. I already have the latest java routine installed.

dja2k

 

dja2k,

Do you have KAV set to act on riskware? I personally ran into a case at home where Trojan.Virtuomundo got through and was not flagged because riskware detection was off at the time. That's about the only potential hole I could see develop.

If registry entries are changing, and you're not getting an indication from RegDefend, that would imply you have a rule approving whatever is making the changes. I'd take a look at what RD is set to allow and adjust accordingly.

Blue

 

Hmm...
You have some real good defenses set up. I'm surprised you're still getting CWS.

 

Several other possibilities

1. He has CWS that is not 100% cleaned, that is why it keeps coming back.

2. There is no CWS, some false positive is at work caused by spywareblaster or maybe host file entries. So every few weeks when he renables protections , it seems to come back again.

To disprove this, we need him to post what registry entries are being found by xsoft.

 

Hi,

Which CWS files?

Have you scanned them at Jotti and Virus Total?
Have you submitted them to the AV/AT/AS vendors to look at?

Which reg-entries?


You said that you were using xoftspy.
I don't know what the situation is at this moment about it.
In the past it was listed at Eric's Rogue/Suspect-antispyware page, but it has been removed.
See: http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note

 

Yes I have the extended data base on KAV on. And CWShredder says I have a variant of the coolwebsearch trojan (cws.smartsearch.2). The CWShredder removed these :
cws.svchost32, cws.smartsearch, cws.jksearch, and cws.hidden.dll. Now I have no idea what is going on, either my protecting software is not working or how did these get past them.

dja2k

 

Hi,

Sorry, it is still not clear to me.
You're talking about CWS files and reg-entries.

Do I understand you right that only CWShredder finds those?
Do you have the latest version of CWShredder (it's now owned by TrendMicro)?
http://www.intermute.com/products/cwshredder.html

Do I understand you right that CWShredder finds them only after you have run that Xoftspy?
If so, what happens when you uninstall Xoftspy?

What happens if you disable system restore?
Does it come back?

 

I don't have system restore and no its not only when xoftspy finds them, but they come back after each reboot. And yes I have cwshredder from trendmicro, downloaded it from that site.

dja2k

 

Being a subscriber of Trend Micro, I finally sent email to technical support at Intermute, and they state "CWShredder 2.16 was never offically released. Please look for version 2.17 to be available in the coming weeks. No further information is available."

Meanwhile, back at the ranch, since I probably run CWShredder weekly, by virtue of reading this thread I cranked up CWShredder (2.16), i.e. the unofficial release, with update button etc., and it states it FOUND CWS.Smartsearch on a scan only, removes it on a scan/fix run, and a subsequent scan finds it again - definite CWS behavior.

I'm currently searching Internet to find out how to purge this beasty.

-- Tom

 

Tested with CWShredder 2.15 from Trend on my W98SE machine.
MD5 checksum: f8e6317ae55076fae45ba0aa5d16d983

Yep, it finds CWS.SmartSearch.
And that is a false positive !

What it does for example, is removing some legitimate entries on my HOSTS-file.

Tested by using Hostess, NIS File Check, Beyond Compare.

A screenie from Beyond Compare shows two entries in my HOSTS-file that are removed by CWShredder:
the entries shown in red

 

Think I removed it using the latest version of CWShredder. I had done an msconfig comand to remove a startup I didn't need, then I decided to run CWShredder and it found some variant on cws.msconfig, so I removed it, restarted, and it hasn't found any variants since. Anyways, if I by any chance did have a coolwebsearch infection before, none of the software I have actively blocks it from further modifications does it? I mean I am not really running anything like Counterspy or MSAS or Ewido active, though they wouldn't find it.

dja2k

 

Hi dja2k,

Just to be sure, have you rerun CWShredder to determine if it really removed the pest, or does it return with the next scan as CWS.Smartsearch did on my computer?

Yesterday I tried without success using HijackThis to remove CWS.Smartsearch which just kept on coming back - and no, it was not a false positive!

In the past I have volunteered to run Intermute's Dr. Diag tool to take a snapshot of my system for their analysis. At their suggestion, I downloaded, installed, and updated with most recent definitions (2.91 from 2.78 download) the latest version of Trend Micro's Anti-Spyware 3.0 (previously known as Spysubtract Pro from Intermute which also contains [probably latest version of CWShredder]), and since the link they gave me was stale, I went to TMs website to get the trial download. Trend Micro Anti-Spyware 3.0 found:
BHJK_CoolWebSearch aka CWS.SmartSearch and ADW_2020Search, i.e. C:\Windows\iun6002.exe, both of which were deleted after the full scan.

A subsequent run of CWShredder (multiple times) now indicates that the pest is finally gone.

Intermute now claims that version 2.16 of CWShredder was never officially released and that version 2.17 will be released in the coming weeks. Since both TM and Intermute's websites have reverted to issue 2.15, one wonders whether they are witholding updates to the free version of CWShredder in order to advance sales of TMAS 3.0?

-- Tom

P.S. TMAS appears to offer various (Venus) spyware traps, but when it started consuming about 50% CPU this AM (this may have been a scheduled scan I forgot to unschedule), I killed the process. It may have a large footprint as well (about 40MB) as I recall expressed in 40,xxxKB - don't remember the exact numbers. It also appears to have a useful interface with regard to security changes made to the system and assessments on vulnerability risks of certain settings.

P.P.S. If you add the entry "127.0.0.1 ZeroSpyWare.com" to the hosts file you can trigger a true false positive with Spybot S&D (latest version) which is a valid entry to protect your computer from redirection.

 

Yes it got removed with the newest version of cwshredder from Trendmicro. I restarted my computer several times and yest it was gone. Due to other circumstances, I did however clean out my system and did a reformat with a clean install of windows. Thanks all for the replies.

dja2

 

After further seeing one variant of Coolwebsearch, I found out that it was samurai adding something that was caught by cwshredder. After cwshredder removed the entry, after restart, I would get a regdefend popup saying that samurai wanted to add two values to the registry. Of course those were probably the values that cwshredder removed. Definately a false positive.

dja2k