coolwebsearchprob; can't stay logged in

Discussion in 'other security issues & news' started by jerryc, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. jerryc

    jerryc Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    7
    hope this gets out to the forum. I'm posting here as I can't stay logged in other places to make a post, when I login and click a page to make a post it comes up as guest again. I have something that's very persistent. repeated scans with adaware keep finding things although it's down to one or two and not the 20 or more before. Haven't rebooted yet, these are all scans one after the other. Spywareguard won't come up but it was giving me repeated warnings about BHO's and changing start page and search page etc. There was a 'coolwebsearch' warning at one point. 'about blank' has also been a warning. I am also getting popups, all seem to be false spyware 'help' ads.
    I have; adaware, spywareblaster, spywareguard, spybot, and just tried 'blankbuster'. all have found things, all are updated.
    I do have a temp file that seems to be related; se.dll, and it won't delete.
    any comments?
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jerryc,

    Make sure you have the most recent version of the following. I'll post the links here for you if you don't.

    Download the stand-alone version of CWShredder ver. 2.13
    http://www.intermute.com/spysubtract/cwshredder_download.html

    Download HijackThis ver 1.99.1
    https://www.wilderssecurity.com/showthread.php?t=12516

    Make sure Ad-AwareSE and Spybot S&D along with your antivirus is up-todate, then boot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Scan with CWShredder first, pressing the *Fix* button, and fix what it finds.

    While still in safe mode, scan with Ad-AwareSE, Spybot S&D, and your Anti-virus (if you have one) and fix what they find.

    Boot your system back into normal mode and re-scan with the above.


    Next, do an on-line virus scan at one (preferably at two) of the following sites:
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

    Then with HijackThis placed in it's own folder on your C drive (not a Temp folder or the desktop) double-click on the hijackthis.exe and press the "Do a system scan and save a logfile". Save the log file as a .txt file. Do not fix anything in Hijackthis by yourself without expert advice.

    Take the Hijackthis scan to one of the following sites for analysis where a Hijackthis Expert will review it and give you further directions on cleaning your system:

    CastleCops - http://castlecops.com/forums.html
    Spywareinfo - http://www.spywareinfoforum.com/index.php

    Please let us know if you were able to get to CastleCops or Spywareinfo to post a log.

    (I'll move this thread into a better section of the forum in a little bit)

    Regards,

    snap

    PS - While you are in safe mode, clear your Temp folders. You can use the Disk Cleanup Wizard in XP to clear the Temporary Internet files and Temp Folder files. Go to Start, click Run, and type in cleanmgr and then click "OK" to bring up the Disk Cleanup Wizard.
     
  3. jerryc

    jerryc Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    7
    thx snapdragin,
    done the downloads and made the folders, have to wait to do the stuff a day or two, due to having a life... heh. I'm now on another computer temporarily.
    I have noticed that the repeated scans I did, one after the other, seem to have eliminated the warnings about coolwebsearch and bho's, and homepage change that I mentioned in the original post. Now, or that is up til I shutdown, all I was getting were the popup ads I had mentioned. Now I suppose I'll see if they return, using the system restore, which I did not turn off. I just mention this as it seems that repeated scans are quite valuable.
    I will be using the proggies though that you linked me to, and I'll issue a report as it happens, or nearly so.
    I forgot; between the time I originally posted and your reply, I had tried Panda scan, which found 3 virus and 2 suspicious. I had not clicked the 'fix' or 'repair' or immunize'; one like that box, which I didn't realize til the scan was done. On reading the results it said that was an option so I rescanned, clicking the box. Now, this is where it gets odd, as it said that immunize or whatever they call it is not an option for the free service. So then why the box?? and then the results are, the 3 virus do not show and there's only one suspicious, which is the same one I mention above, se.dll. I did send it to Panda and they haven't gotten back to me about it yet. So I don't know if the 3 virus, which I have the path for, are gone or not.
     
    Last edited: Feb 22, 2005
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jerry,
    Doing the scans may have indeed removed some parts of the infection but with CoolWebSearch, there could be other hidden files deeper in the operating system that might (and usually does) become active again...sometimes in a week, a day, or even within hour's. At least you are able to get enough control of your computer now that you can followup with posting a HijackThis log at one of the sites I linked to above for a deeper system analysis. If there is something still hidden there, the HijackThis Experts will hopefully be able to help you find it and remove it.

    I would not advise using a system restore point at this stage as Windows file protection will back up a file, infected or not, to a restore point. If you use a restore point that has the infected files in it, then you risk reinfecting yourself all over again, unless you are positive there is a restore point there prior to any infection. :doubt:

    I do urge you to follow up with a deeper analysis....with CoolWebSearch, there is always more than one infection...the most recent versions of CWS being quite difficult to remove.

    Please do let us know how it works out.

    Best of luck, jerry. :)

    Regards,

    snap
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    I just read the extra part you added to your post. It has been awhile since I've done an on-line scan myself, but maybe try several on-line scanners in the list.

    With some of the more recent variants of CWS infections...most of the conventional methods of removal (meaning scanners) cannot remove it, and it takes special tools and guided instructions by spyware experts to help you remove the hidden files. That is why with CWS infections, or any hints of it...it is strongly advised to followup with a HijackThis analysis. ;)

    Regards,

    snap
     
  6. jerryc

    jerryc Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    7
    hmm; maybe I misspoke or don't have the correct understanding of system restore. but I know when/where/how I got the baddie, and I've only been online with this OS (I am multibooting 4 OS) for a few days so going to a 'before' startup is simple actually. So, then what? I guess that would mean that the whateveritis wouldn't get started, so that's good, and it would be easier to find/eliminate. Right? Or is it easy to go after it from one of the other OS's? That is, boot into xp say, (the affected OS is 2003 server; I'm taking a class), and try to use one or all of the various tools. Actually this is one reason I partitioned my new HD, to try to stay on top of things and access one drive from another. I have the concept, just not on top of the execution.
    Thx.
     
  7. jerryc

    jerryc Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    7
    So this is an update; I booted into xp safemode and went over to the server drive to the CW shredder and scanned; nothing. because it doesn't specify what it's scanning I wasn't sure it did the drive with the problems, so I rebooted into the server drive in safemode and scanned again; nothing. I was able to delete temp and TIF files that I couldn't before, apparently because I was in safemode, and that's where things are at the moment. I'm going to reboot into normal mode in that drive and see what happens. Some of the files I deleted had a path that had originated from a PC Health website, so that's interesting; I remember being there but not what I did so don't remember why they were on my system. Hope this isn't too confusing.
    Thx again.
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jerry,

    I am not familiar with 2003 server OS, or mutibooting 4 OS, so I cannot comment on how that is done or if it would clean the infected system completely or not.

    Have you gone to one of the sites I linked to above and posted a HijackThis log for review? Rather than guessing if your system is clean, it would be safer to ensure that it's clean with a more deeper analysis by an experienced spyware removal Expert.

    Regards,

    snap
     
  9. jerryc

    jerryc Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    7
    Oh, no assumptions here and I have posted a HJT, at bleepingcomputer.com.
    which seems to also be a knowledgeable and helpful site.
    The stuff isn't all gone, that's clear after booting up. Some of the files I had deleted in safemode are back. I did hear from Panda about the online scan I did, and they say it's a new form of an Adware/search.exe that they'll have an online fix for in a short time. But I'm going to go with the manual fix.
    Thx for paying attention to my difficulties, I'll let you know how it goes
    Jerry
     
  10. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    Hi, :)

    Speaking of CW Shredder. SpyCop has detected it again as Spector Pro eBlaster and deleted it !! I have another post on this issue from a few weeks ago for anyone that may be interested. I have now added the detection to the SpyCop ignore list since I have downloaded another version of CW Shredder. :rolleyes:

    Hard Rocker !!
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Hard Rocker,

    I realize you are new to the forum and still getting use to how things work here, but if you are still having problems with the SpyCop program detecting false/positive, could you please follow that up in your thread so we don't take this thread off topic. ;)

    You can find your thread here:
    https://www.wilderssecurity.com/showthread.php?t=63959

    Thank you,

    snap
     
Thread Status:
Not open for further replies.