Coolwebsearch Keeps Passing My Defense...

Discussion in 'other anti-malware software' started by dja2k, Oct 16, 2005.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    There are two coolwebsearch files that keep passing my defense of KAV Pro 5.0.390, RegDefend 2.001, ProcessGuard 3.150, RegRun Gold 4.10, and WinPatrol Plus 9.7.4.0. I have no idea why it keeps happening once in a while, then I get an alert that the host file got changed after I run CWShredder and removes the registry entries. I find out the coolwebsearch reg entries are instaled by running xoftspy every afternoon, then remove the entries with xoftspy or CWShredder. The host file is set to read only though. Any idea what is going on?

    dja2k
     
  2. Ailric

    Ailric Guest

    I believe that coolwebsearch is installed through MS Java Virtual Machine and Internet Explorer.
    Here is a tool to remove it.
    http://www.majorgeeks.com/download.php?det=4158

    CAUTION! This is not reversible. Once done, it is done.
    You can then download Sun Java to have Java on your machine. The last 2 computers I purchased both had Sun Java installed by default rather than MS Java Virtual Machine. I have not had coolwebsearch on my machine since.
     
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thats the thing, I don't use IE nor do I use microsoft's virtual machine. I already have the latest java routine installed.

    dja2k
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    dja2k,

    Do you have KAV set to act on riskware? I personally ran into a case at home where Trojan.Virtuomundo got through and was not flagged because riskware detection was off at the time. That's about the only potential hole I could see develop.

    If registry entries are changing, and you're not getting an indication from RegDefend, that would imply you have a rule approving whatever is making the changes. I'd take a look at what RD is set to allow and adjust accordingly.

    Blue
     
  5. Ailric

    Ailric Guest

    Hmm...
    You have some real good defenses set up. I'm surprised you're still getting CWS.
     
  6. DA 325

    DA 325 Guest

    Several other possibilities

    1. He has CWS that is not 100% cleaned, that is why it keeps coming back.

    2. There is no CWS, some false positive is at work caused by spywareblaster or maybe host file entries. So every few weeks when he renables protections , it seems to come back again.

    To disprove this, we need him to post what registry entries are being found by xsoft.
     
  7. FanJ

    FanJ Guest

    Hi,

    Which CWS files?

    Have you scanned them at Jotti and Virus Total?
    Have you submitted them to the AV/AT/AS vendors to look at?

    Which reg-entries?


    You said that you were using xoftspy.
    I don't know what the situation is at this moment about it.
    In the past it was listed at Eric's Rogue/Suspect-antispyware page, but it has been removed.
    See: http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
     
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Yes I have the extended data base on KAV on. And CWShredder says I have a variant of the coolwebsearch trojan (cws.smartsearch.2). The CWShredder removed these :
    cws.svchost32, cws.smartsearch, cws.jksearch, and cws.hidden.dll. Now I have no idea what is going on, either my protecting software is not working or how did these get past them.

    dja2k
     
  9. FanJ

    FanJ Guest

    Hi,

    Sorry, it is still not clear to me.
    You're talking about CWS files and reg-entries.

    Do I understand you right that only CWShredder finds those?
    Do you have the latest version of CWShredder (it's now owned by TrendMicro)?
    http://www.intermute.com/products/cwshredder.html

    Do I understand you right that CWShredder finds them only after you have run that Xoftspy?
    If so, what happens when you uninstall Xoftspy?

    What happens if you disable system restore?
    Does it come back?
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I don't have system restore and no its not only when xoftspy finds them, but they come back after each reboot. And yes I have cwshredder from trendmicro, downloaded it from that site.

    dja2k
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Being a subscriber of Trend Micro, I finally sent email to technical support at Intermute, and they state "CWShredder 2.16 was never offically released. Please look for version 2.17 to be available in the coming weeks. No further information is available."

    Meanwhile, back at the ranch, since I probably run CWShredder weekly, by virtue of reading this thread I cranked up CWShredder (2.16), i.e. the unofficial release, with update button etc., and it states it FOUND CWS.Smartsearch on a scan only, removes it on a scan/fix run, and a subsequent scan finds it again - definite CWS behavior.

    I'm currently searching Internet to find out how to purge this beasty.

    -- Tom
     
  12. FanJ

    FanJ Guest

    Tested with CWShredder 2.15 from Trend on my W98SE machine.
    MD5 checksum: f8e6317ae55076fae45ba0aa5d16d983

    Yep, it finds CWS.SmartSearch.
    And that is a false positive !

    What it does for example, is removing some legitimate entries on my HOSTS-file.

    Tested by using Hostess, NIS File Check, Beyond Compare.

    A screenie from Beyond Compare shows two entries in my HOSTS-file that are removed by CWShredder:
    the entries shown in red
     

    Attached Files:

    Last edited by a moderator: Oct 18, 2005
  13. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Think I removed it using the latest version of CWShredder. I had done an msconfig comand to remove a startup I didn't need, then I decided to run CWShredder and it found some variant on cws.msconfig, so I removed it, restarted, and it hasn't found any variants since. Anyways, if I by any chance did have a coolwebsearch infection before, none of the software I have actively blocks it from further modifications does it? I mean I am not really running anything like Counterspy or MSAS or Ewido active, though they wouldn't find it.

    dja2k
     
    Last edited: Oct 19, 2005
  14. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Hi dja2k,

    Just to be sure, have you rerun CWShredder to determine if it really removed the pest, or does it return with the next scan as CWS.Smartsearch did on my computer?

    Yesterday I tried without success using HijackThis to remove CWS.Smartsearch which just kept on coming back - and no, it was not a false positive!

    In the past I have volunteered to run Intermute's Dr. Diag tool to take a snapshot of my system for their analysis. At their suggestion, I downloaded, installed, and updated with most recent definitions (2.91 from 2.78 download) the latest version of Trend Micro's Anti-Spyware 3.0 (previously known as Spysubtract Pro from Intermute which also contains [probably latest version of CWShredder]), and since the link they gave me was stale, I went to TMs website to get the trial download. Trend Micro Anti-Spyware 3.0 found:
    BHJK_CoolWebSearch aka CWS.SmartSearch and ADW_2020Search, i.e. C:\Windows\iun6002.exe, both of which were deleted after the full scan.

    A subsequent run of CWShredder (multiple times) now indicates that the pest is finally gone.

    Intermute now claims that version 2.16 of CWShredder was never officially released and that version 2.17 will be released in the coming weeks. Since both TM and Intermute's websites have reverted to issue 2.15, one wonders whether they are witholding updates to the free version of CWShredder in order to advance sales of TMAS 3.0?

    -- Tom

    P.S. TMAS appears to offer various (Venus) spyware traps, but when it started consuming about 50% CPU this AM (this may have been a scheduled scan I forgot to unschedule), I killed the process. It may have a large footprint as well (about 40MB) as I recall expressed in 40,xxxKB - don't remember the exact numbers. It also appears to have a useful interface with regard to security changes made to the system and assessments on vulnerability risks of certain settings.

    P.P.S. If you add the entry "127.0.0.1 ZeroSpyWare.com" to the hosts file you can trigger a true false positive with Spybot S&D (latest version) which is a valid entry to protect your computer from redirection.
     
    Last edited: Oct 20, 2005
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Yes it got removed with the newest version of cwshredder from Trendmicro. I restarted my computer several times and yest it was gone. Due to other circumstances, I did however clean out my system and did a reformat with a clean install of windows. Thanks all for the replies.

    dja2
     
  16. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    After further seeing one variant of Coolwebsearch, I found out that it was samurai adding something that was caught by cwshredder. After cwshredder removed the entry, after restart, I would get a regdefend popup saying that samurai wanted to add two values to the registry. Of course those were probably the values that cwshredder removed. Definately a false positive.

    dja2k
     
Thread Status:
Not open for further replies.