Results 1 to 9 of 9

Thread: Browser hijack help (CoolWebSearch)

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    14

    Browser hijack help (CoolWebSearch)

    Hey everyone,

    This is my first post. I'm hoping this great site might shed some light on this.

    I'm running windows xp with all the updates and patches, along with a linksys router and default xp firewall only. I managed to get the CoolWebsearch Malware on my box and can't seem to shake it.

    After reading previous suggestions from this site, I booted in safe mode, ran spybot and adaware and both programs deleted the corresponding CoolWebSearch entries.

    All seemed fine and I left my computer on. A few hours later upon return when I clicked IE6 CoolWebSearch was back. I did the scan again and entries were again found.

    An hour later the same thing. So I booted in safe mode, ran hijackthis, and deleted all the browser hijacks.

    Any ideas? Am I missing a step here? How does it keep coming back?

    Thanks for your help all.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    CoolWebSearch is a new style program that spybot and adaware don't work well on. You need to get CWShredder, that is made for collwebsearch and its varients.
    Go to here for all the information you could want about this: http://www.spywareinfo.com/~merijn/cwschronicles.html
    And here is the download page for CWShredder: http://www.spywareinfo.com/~merijn/downloads.html
    I believe that will take care ofnit for you. Please keep us advised.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    Originally posted here by slarty
    Go to the IE options dialogue, find "Advanced", and from memory there is an option called "Enable third party add-ons" or something similar. Turn it off, and restart all browser windows.

    All alien toolbars should be gone.

    Slarty

    disable the 3rd party add-ons for a quick fix as stated by slarty.


    ```
    Ad-aware Cloack 1.0 --- http://www.lavasoftnews.com/theeye/i17/a4.html

    Ad-aware Cloak will allow Ad-aware to open fully when there are items on the system which close Ad-aware when it attempts to start, such as some CoolWebSearch variants. To use Ad-aware Cloak, save it to your system, and run the program before opening Ad-aware. Once Ad-aware Cloak opens, click "Activate Cloak" and then open Ad-aware and scan as normal. When you are done using Ad-aware, close Ad-aware Cloak.

    well...while replying i glanced and it looks like moxnix already hooked you up.

    Run spybot and update it and stuff like this prolly won`t happen

    ````
    NORML

    Signature image is too tall!

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    I would recommend booting into safe mode before running your countermeasures, so you did the right thing there .

    Also, there is a little additional CWS proggy for particularly nasty forms of it......I don't have the link at present but will try to find it and edit this post shortly. It is somewhere on Merijn's site, but the guy has been under a lot of DoS attacks recently, so I am not sure where he is at the moment.............good trade reference though..............he must be rattling their cages

    There is a 30 day trial of "The Sweeper" from Moosoft............pretty good.........you have to run it from a NORMAL Windows boot.

    You might also like to try "Housecall" from TrendMicrosystems..............that is a pretty good online malware scanner.

    You might also like to get WinPatrol 6.5 from BillP Studios..........have a look at your Browser Helper Objects (BHOs, Internet Helpers)..........just kill them if you don't recognise them.....they will come back if needed

    http://winpatrol.com


    Good luck

    EDIT: I cannot find a link at present, what you want is: miniremoval_coolwebsearch_smartkiller.exe

    If you have a problem, PM me and I will zip a copy for you

  5. #5

  6. #6
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Dietzol, here's a little extended information on CoolWebSearch for future reference.
    http://www.spywareguide.com/product_show.php?id=599
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    You've probably sorted this out by now but after you've done your cleaning you may want to enter the registry and check

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    to make sure CoolWebSearch has been removed. Otherwise the OS may still try to run it on start up.
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  8. #8
    Junior Member
    Join Date
    Mar 2004
    Posts
    14

    =)

    Thank you all for your quick responses and help. CWShredder did locate several variants and removed them. Previously I tried Housecall and it didn't locate the problem.

    Thanks again everyone. This was a lil nasty bugger that I hadn't experienced before.

  9. #9
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038

    Re: =)

    Originally posted here by Dietzol
    Thank you all for your quick responses and help. CWShredder did locate several variants and removed them. Previously I tried Housecall and it didn't locate the problem.

    Thanks again everyone. This was a lil nasty bugger that I hadn't experienced before.
    Also check in your Add/Remove programs. CoolWebSearch (some versions of it) allows you to uninstall it from add/remove programs.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •