Help in removal of CoolwwwSearch.SmartSearch

Discussion in 'malware problems & news' started by yogishree, Apr 12, 2005.

Thread Status:
Not open for further replies.
  1. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Hi,

    I am on a WIN ME system with McAfee VS (ver 8.0) and Kerio PFW 2.1.5 alongwith Proxomitron 4.5 Local HTTP Proxy.

    On one of my regular running of SpyBot S&D (ver 1.4B2 )I found the following:

    1. 45 entries of CoolwwwSearch.SmartSearch together with MySoft.While SpyBot could remove 43 entries, 2 of the following entries could not be removed even after running it at StartUp:

    CoolwwwSearch.SmartSearch

    Redirected Host
    Zero SpyWare.com-127.0.0.1

    Redirected Host
    www.Zero SpyWare.com-127.0.0.1

    2. I then unloaded CWSchredder as also PepiMK's 'CoolWWWSearch.Smartsearch killer'.First ran the latter(nothing detected) then ran the former in Safe Mode(again nothing detected ).Ran SpyBot again -same 2 entries again.

    3.What else can be done pl.

    HELP is reqd from one of the many experts on the forum in removal of these entries

    Thanks in advance.


    :'(
     
  2. Nick_morris

    Nick_morris Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    23
    Location:
    Ivybridge
    Hi you could try running Ad-Aware from Lavasoft, its a free download and should remove it, also delete all your temporary internet files and cookies. Nick
     
  3. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Hi Nick,

    Thanks for the advice.

    1. Removed all temp files with CCleaner.

    2. Ran AdAware SE Pers 1.05 -System reported clean.

    3.Ran Spybot again in Safe Mode-both entries still there.

    Any farther suggestions pal.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  5. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  6. Down_Under

    Down_Under Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    56
    Location:
    Brisbane,Qld,Australia
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands

    Bazooka does not get rid of anything. ;)

    This is from their own description:
    Regards,

    Pieter
     
  8. Nick_morris

    Nick_morris Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    23
    Location:
    Ivybridge
  9. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Hi Friends,

    Thanks for the advice everyone.

    1 Snapdragin- (a)Yes- I am using the Global Servers Blocklist of The Hosts Project (15th jan '05 release)as also Proxomitron .On checking up my host file i find 'zerospyware.com' under the list header 'Fake Anti spyware-Spywarewarrior.com list ' & 'www.Zerospyware.com' is present under the list 'software & Spyware'.

    (b) I did go thru the interesting post on NetIntegration forums but really it does not tell me much about my own problem.

    (c) does the presence of the two offending entries in my host file confirm spybot's detection as a false-positive.would removal of the relevant entries from the host file solve the problem or maybe disabling the host file itself-but i rather think not and in that case what would you suggest.

    2.Kareldjag-the 'silentrunners' link does not relate to my ME OS , however , the 'cheapest' link appears to be interesting .let me study this in detail and then i will revert back.

    3. Arntz-did install the program after unloading it from the suggested site and therafter went off the net for some time . returned for updating the program before running it but not able to access the net at all-connection repeatedly and very unusually breaking down continuously.Writing this post during the interim period.[finally did get the connection and posting]

    4. Nick-the suggested program is kola's SmartSearchKiller referred in my original post.I have already ran it and one is supposed to run CWSchredder after it which also was done by me & both runs in safe mode but no results.

    Any farther suggestions / advice to eliminate these nasties.
     
  10. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Friends,

    I have just now noted a strange thing which i hasten to report.

    I had disabled my 'system restore' quite some time back and it was working fine also with an old edition of GO BACK with me.Some time back I did notice that the 'restore' has been abled and i immediately disabled it once again and was under the impression that it continues disabled .

    However one of the links suggested by Kareldjag led me to the Symantec site for unloading a tool with instructions that RESTORE has to be disabled before any action . On checking up I find that not only is my RESTORE abled once again but as soon as i disable it and reboot i find my tick mark against "disable system restore " has vanished. I have repeated the procedure several times but with same results.

    I think that possibly the items are hiding in the restore folder and this is the reason why spybot has not been able to remove them.

    Hope this helps in better understanding of my problem.

    But I do think that i have landed up with a hard nut and may require assistance on SOS basis.

    Thanks.
     
  11. dog

    dog Guest

    Hi yogishree, ;)

    The re-directs Spybot are alerting you to are fine. The address 127.0.0.1 -or- 0.0.0.0 (depending on your setup) are loop backs to your PC. Simply if you typed zerospyware.com in your browser, your PC queries your hosts file to reference its DNS/IP address, which it finds it listed as 127.0.0.1 (your PC), which will prevent any connection to what it really is.

    This is a concern when, Malware either writes entries to your hosts, that either re-direct you to another site (theirs) or are Loop backs for useful/need sites (ie. support forums etc.) which would prevent you from accessing them and receiving help. Using a hosts in this manner ( as a loopback to prevent access) is a very powerful tool, which can be exploited against you too, which is why Spybot alerts you to these findings, so that you may research those findings.

    The question of should that address be listed and credited to Eric Howes/Spyware Warrior is another matter. It would require permission from those parties to do so (Eric & SW), simply put, if they delist Zerospyware (because issues are corrected) and the source from which you obtained the hosts file continues to list that entry with credit to the same, zerospyware could launch legal action against Eric and company, because of the actions of others.

    The details of why it is currently listed on the Rogue List can be read here -> http://www.spywarewarrior.com/rogue_anti-spyware.htm#zs_note

    Which you can clearly see is the case here:
    You can either leave it or delete it (but I would recommend to delete it as it has been de-listed). If you decide to leave, scan with Spybot ... when it's found, expanded the listing, and select to exclude it from further searchs, by right-clicking the individual entries and selecting "exclude this detection from further searches", don't select "exclude this product" as it will exclude any findings under that product from detection, not just those entries.

    If you should later wish to remove the exclude status, In Advance mode, Select "Settings", then "Ignore Single Entries" right-click the entry you wish to remove, and select remove. If you happen to select "Ignore Product" from the context menu mentioned above, In Advance Mode, Settings -> "Ignore Products" - scroll down the list to where you will find it check marked, simply uncheck it.

    HTH,

    Steve

    BTW - I will search around for info on your System Restore Issue, if I find anything I'll let you know. ;)
     
    Last edited by a moderator: Apr 13, 2005
  12. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Thanks for the elaborate explanation.

    Maybe I am being thickheaded but i still do not understand why they are being detected by S&B in my system.My understanding is :

    if i try to access the listed URL then since the browser first looks in the host file it will direct me to the IP address listed therein which in this case happens to be that of my own computer(127.0.0.1) so that i am saved of a lot of grief as i am not able to access the suspected site at all.

    i under stand it is this attribute of the computer alongwith presence of a host file on the sys which encourages unscruplous elements to take advantage and overwrite the addresses against some of the URLs so that the unsuspecting user is led to unwanted sites which may lead to the user being exploited later.

    If i am correct in my understanding then since the host file is there on my system since long ,the beta version of S&D is also there for some time and which i regularly run so why should this be detected at this stage when i have never tried to access this particular site to the best of my knowledge .

    Pl do clarify .
     
    Last edited: Apr 14, 2005
  13. dog

    dog Guest

    That would simply be the result of the definitions Spybot uses/what it looks for. That's the nature of a beta. Actually on my system, Spybot flags about 40-45 hosts entries, I have them set to ignore, but I reset them occasionally to see if they continue to be flagged. My hosts file is my custom file, which is a little bit of a hobby I guess. But regardless, flagging Hosts entries is a good thing, beta or not, the average person who uses Spybot probably isn't an advanced user (although many are), they wouldn't likely employ a hosts file as a defence. So generally, in that case it'd be a good thing, as it would alert them to something suspect. It's good for advance users too, as they'll certainly investigate whether those entries are justified or not, and will either exclude it from further scans or eliminate the entry. Either way it brings to the users attention the potential of any problems, and highlights the power of that tool. It certainly is the most aggressive defence, when compared with things like IE's restricted zone, which only limits some functionality, where a hosts explicitly prevents any connection.

    Steve
     
  14. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    Thanks once again for detailed explanations.
     
  15. BornMember

    BornMember Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    75
    Hi dog

    I have just ran spybot after Giant AS keeps freezing when scanning browser for browser hijack attempts. Spybot detected Myweb and Smartsearch. I have let spybot fix them but it can't seem to fix the following, I wonder if it is the same case that yogishree has encountered.

    CoolWWWSearch.SmartSearch: Redirected host (Redirected host, nothing done)
    Zerospyware.com=127.0.0.1

    CoolWWWSearch.SmartSearch: Redirected host (Redirected host, nothing done)
    www.Zerospyware.com=127.0.0.1

    CoolWWWSearch.SmartSearch: Redirected host (Redirected host, nothing done)
    www.EnigmaSoftwareGroup.com=127.0.0.1

    CoolWWWSearch.SmartSearch: Redirected host (Redirected host, nothing done)
    EnigmaSoftwareGroup.com=127.0.0.1

    "files couldn't be fixed reason could be that the associated files are in use (memory)"

    I have a host list from Bluetack.

    ThanX
     
  16. dog

    dog Guest

    Hi Born Member, ;)

    Those entries can safely be ignored, they're from BlueTack's hosts file, you can follow the instructions above to set Spybot to ignore those entries.

    Just so it's clear what those entries mean ... your browsers references your hosts file/DNS cache to resolve the IP address before making an outbound connection, simply those entries tell your browser that that address is a local file (The address 127.0.0.1 indicates it's your computer - hence local file). The site of course isn't located there, resulting in a "not found" type message from your browser. In short it completely blocks access to a listed site, by re-directing the connection attempt in a loop back to your PC. It's an aggressive defence that very effective and definite, but it does need to be utilized very carefully.

    As to Spybot not being able to delete them, I believe one of the agents in GiantAS (resident protection), protects your hosts file from any changes, if you do wish to remove those entries, disable the the agent responsible for protecting your hosts file, and then have Spybot "fix/remove" those items, then re-enable GiantAS agent.

    You can also remove them manually, by navigating to your hosts file, open it with notepad, use the find function (Ctrl + F) enter the name of the item you wish to remove (ie. Zerospyware.com), then either delete that line, or simply add a pound sign (#) in front of the entry (ie. #Zerospyware.com 127.0.0.1). You would of course have to disable Giants resident protection to make the change manually, just as you would with have Spybot "fix" them.

    HTH, ;)

    Steve
     
Loading...
Thread Status:
Not open for further replies.