TDS detecting coolwebsearch with NetScanner?

Folks,
I kinda ran into the same unresolved question as a new user of TDS3. I will post what I sent into DCS and what they recommended. My highjack this came up clean, and so did my PE logs but no one to my satisfacton has been able to explain the coolwebsearch showing up as listening to my ports? I am new with this product, so excuse my lack of knowledge as I learn to work with this toolset.

Thanks,
Mike

please see below:

DCS Support reply:

Hi,

These seem like legitimate ports. If you want to check your system thoroughly, try Port Explorer which has a free demo http://www.diamondcs.com.au/portexplorer

Once installed and rebooted, you can choose FILE > SAVE TABLE and send us that, which will show all port info

We recommend you do post an Adware "HijackThis" logfile in this forum for some expert spyware/adware help
https://www.wilderssecurity.com/showthread.php?t=15913


Best regards,
DiamondCS Support

PROCESS GUARD - CRITICAL Protection for Windows 2000/XP
- Ensure Windows Integrity
- Stop rootkits, DLL injection
- Prevent firewall bypassing
http://www.diamondcs.com.au/processguard



----- Original Message -----

To: support@diamondcs.com.au
Sent: Thursday, June 17, 2004 2:06 PM
Subject: TDS and coolwebsearch


Hello TDS team,

I am a new TDS user( registered) user name on Lisc. so let me apologize in advance if this question is not really a problem. I have just run the Diamond CS netscan. I noticed on some of my ports it seems that coolwebsearch is listening to them, when I right clicked to identify the address. I have included the

UDP 127.0.0.1:1900

TCP 127.0.0.1:1029

TCP 127.0.0.1:1027



These were listed on the left side of the table the Netscaner created. When I right clicked to get specific info on the item it listed for all three cool websearch and seemed to indicate to that those ports were used by them? Please assit me to understand the situation.

 

Hello there and welcome to the forum.
Your question is not really clear to me, as to me none of the port numbers 1900 1029 or 1027 resolve to coolweb so where did you get that info from?
1900: SSDP - SSDP (UDP)
1029: ICQ Instant Messenger, RAT: Latinus
1027: RAT: Latinus

Which netscan did you mean exactly and how did you see that name listening to some port?

In the meantime, can you please check your HOSTS file,
TDS > System Analysis > View File > Network Hosts and tell what the first lines look like?
127.0.0.1 localhost
should be there, for instance
If anything changed it ...........?

For Port Explorer: that gives a good overview from what is going on exactly on your ports, so when you see it happen again please freeze the display a moment (PE > Settings > Pauze Display) to be able to save that exact table in File > Save Table which textfile you can paste in your posting.
(you might like to edit your own IP address out with xxx.xxx.xxx.xxx for privacy)

Looking forward to your explanation.

 

Jooske,
Thanks for the quick response. I just turned on the PE product and these are what I found the only difference in the two logs is in log b I went into the setting and clicked on show resolved addresses. Then the coolwebsearch wording appears in the logs. These were done seconds apart from log a to b? As for the TDS3 settings and coolwebsearch, first my Target Host is 127.0.0.1, which is I believe correct. Whne I go into the system ananlysis tab in TDS3 and click on NetStat( excuse me for calling it netscanner...its late in California..long week) All my TCP and UDP ports com up and I can see who is listening etc.as you know.
I just got this line live: TCP127.0.0.1:1030 0.0.0.0:2208 when I click who is 127.0.0.1 I get : coolwwwsearch whn I click on who is 0.0.0.0 I get my computer name any of the TCP and UDP ports that start with the resolved host address of 127.0.0.1 all = coolwwwsearch I think this in not normal but I am a novice with this stuff. I also know my cable modem is in an endless data beep light mode which I also am not sure is normal? You guys have been great so far thanks for all your assistance in understanding what is going on?

Mike
Logs A&B

 

Here is PE log B sorry it did not take with Log A

Mike

 

Derek,
Thanks to you and everyone else( Jooske) for you help. I have a couple questions? Yes I use Spybot S&D, 1st. where can I correct this error in my system, and also on my cable modem should the data light constantly be active i.e blinking? Again thanks so much.

currently using Spybot S&D, Spywear Guard&Blaster, also MRU Blaster, TDS3 and Pest Patrol with NAV 2003 and NIS 2003 all updated very frequently.

Looking forward to learning what I can from your site also Derek.

Mike

 

Dvk's answer explains too why i didn't have that
127.0.0.1 www.coowebsearch.com
as a first line: i did already have a HOSTS file and i might have set the attributes to read-only.
An easy way is via TDS > System Analysis > View File > Network Hosts
this will open the HOSTS file so you can edit it.
Just after the line starting with ## paste this as a first line
127.0.0.1 localhost

Since you're on a dialup modum this next suggestion is not really for you, but people who are on a permanent IP address might like to add that as well with some name: say your permanent IP would be this
123.123.123.123 www.myowndomain.com
and make sure that mywondomain.com is something non-existing.
That 123.... is your public IP address people would use to connect with you.
In your Port Explorer table for local host on the public IP level you would see that www name in stead of local host.
Try the whois (look in TDS for your current IP address and ad that in this way to the HOSTS file) and you will see that your IP 123.123.123.123 resolves to your new self-chosen domain name, but only for you, not over internet to the outside world.
Don't forget to remove it from the HOSTS file if you're on dynamic IPs!
In the table you can also see connections to your computer name, so maybe you named your computer {not available} to create some confusion.
In this way the Port Explorer table shall be more clear for you which is which and what connects to what, etc.
For me easier to see if something is suspicious or not.

 

Jooske,
Thanks so much for your help your team rocks! I unfortunately have been unable to insert the localhost line in as you suggested. I tried it in Spybot, but there is no way to insert, you can delete individual sites off the host list there or the whole list but not add hosts. So I looked at their help file which directed me to where the actual file resides in XP home addition. I used wordpad to try to insert it, but no luck...do I need to be an administrator maybe? Maybe someone else has had this comeup? You were right about the host list in Spybot... all the weblinks that I thought were spying on me, were just my host list protecting me. Hope you can help with this last step. I am running broadband through a cable modem...so I will take your advice on part 2 of your post to me, about setting up a fake domain since I do have, and know what my static IP address is. Soooo once I get the host file resolved with your help. I will be back in listen mode on here. Just one last thing, out of curiousity what firewall and Av program do you like to run at home on your family use computer? I know they all have a slightly different approach, just gathering some data points.

Mike

 

If you search for the HOSTS file via windows explorer, rightclick for its properties and attributes, has it been set protected on "read only" ? spybotS&D might have done that for you. so you should temporary allow it to be a normal archive thing so you can edit it yourself at wish.
Hope this helps!
I did not set SpybotS&D to do anything like that as i updated it to the latest version only recently and i see too many people in this forum having problems with all kinds of settings and protections of it, and formerly fine running software getting into trouble all of a sudden. I want to learn to know the new toys in it step by step and from users' comments first. So i only use it as an on demand scanner when i want incidently at the moment.

On a family computer i would like either a very easy thing what just runs or have one with lots of expert rules in it but password protected by the admin , av/at could be auto-updating, etc.

 

Jooske,
well the good news is that I did what you said and it worked!,when I resolve the local host with TDS the first one says Full Name: Localhost the bad news is that I additonally get 36 alias names and you guessed it they are the ones from my list of banned sites that Spybot S&D has set to my local host IP address to protect me from those malicious sites. I see your point about all the new fetaures built in Spybot, but I can't fault them for making their product more functional as the products they protect against get more sophisitcated. I am using spyware blaster also. It has banned sites also, maybe the lists are very similar and I will turn off the one in Spybot? Is that a viable solution in your opinion? I was looking at the list from Spybot, and many of the sites just have normal names that you would not think twice about clicking on... I guess if it wasn't on a list I woulld not feel that a site named, coolwebsearch would be one not use. Sounds like a normal website on the surface.

 

My personal opinion:

1.
read this site about HOSTS:
http://www.accs-net.com/hosts/

2.
use Hostess (free) to maintain your HOSTS file:
http://accs-net.com/hostess/

3.
there are several frequently updated (free) HOSTS file on the net to download, for example:
hpguru's HOSTS File:
http://webpages.charter.net/hpguru/hosts/hosts.html
MVPS HOSTS File:
http://www.mvps.org/winhelp2002/hosts.htm

4.
Use IE-SPYAD (if you're using Internet Explorer):
http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

5.
Use SpywareGuard and SpywareBlaster from Javacool (if the currently version of SpywareBlaster doesn't give a problem on your system).

6.
see this thread:
https://www.wilderssecurity.com/showthread.php?t=38285

7.
see this thread:
https://www.wilderssecurity.com/showthread.php?t=27971

 

FanJ,
Thanks for reviewing my post and giving myself and others a ton of good info.on the subjectof host management. I would think with the new version of Spybot S&D(1.3) gaining popularity,and people look to defend against trojans with TDS, this will begin to popup with some frequency. It was just a few curious mouse clicks to thinking something is wrong, from no problem at all.I actually noticed the original problem over a week ago and posted a log to the Highjack guys in the Spyware/Trojans forum. I hope the guys from Diamond CS support monitor this post thread. It really should probably be in their FAQ's. There is a strong correlation for someone who uses TDS to have Spybot S&D 1.3. Your post to me should probably be maintained here as a sticky on host file mgt. too. I would not know where to look to find all this info.
Appreciate your help and interest, have a good week:

Mike

 

Hi Mike,

You're welcome !

PS:
I think the problem that you have found, was not a TDS-3 problem but a SpyBot S&D issue . Your TDS-3 was helping to find it; thanks to you (and thanks to LowWaterMark for having a closer look at it, and to Derek for posting that here)!

Cheers, Jan.

 

Jan,
One more thing have to give credit to Pieters team that seems to focus on the spyware/trojans stuff and lookover the Highjack this logs. I went there first and we just seemed to hit a deadend as my log was pretty normal. I still felt something was not making sense. I just kept reading forums and posts until I saw the one by Lostsoul on Resolving Hosts the other day and thats how I posted in this forum and not say Spybot S&D...kinda just wound up here. Its really pretty amazing how all the software for the most party is pretty complimentary without too many hickups> spybot already has a false positive warning when using certain software. Hopefully they can work with the Diamond CS Dev team to come up with a fast tweek to one or the other programs. Now back to the help file on how to use Interogate in TDS for that pesky IP address in china that keeps trying to bust through my firewall.

Take care,
Mike